Category filter

How to Add Certificates for Android Devices

A certificate contains digital data that can secure and authenticate your users to access corporate resources through VPN, Wi-Fi, etc. In addition, it can secure network connections, validate email communications and authenticate users to seamlessly access data.

IT administrators can now leverage the security features in Hexnode UEM to remotely add identity certificates and certificate authorities to Android devices. Once a certificate is uploaded to a policy, it is readily available for use in every other configuration within the same policy where certificate selection is required.


  • Works on devices running Android 5.0+.
  • This feature is available in all plans of Hexnode UEM except Express plan.
  • Certificates are silently installed on Samsung Knox devices and devices enrolled via the Android Enterprise program. However, certificates that are password-protected will not install silently on Android Enterprise devices. You will have to click on Click to Install to install the certificate on other devices. Even if the certificate is installed, the Click to Install button will still be shown.
  • To silently remove the certificates from Samsung Knox devices and devices enrolled in the Android Enterprise program, edit the policy and remove the certificate or remove the policy.


  • The certificate won’t be installed if the device is not secured with a password. If the password is not set on the device and the certificate policy is being associated, a prompt appears asking to set the password. The certificate can then be installed after setting a device password.
  • For devices enrolled via the Android Enterprise program, a device password is not mandatory to install certificates silently.

Add Certificate

  1. Log in to your Hexnode UEM Portal.
  2. Go to Policies.
  3. Select an existing policy or create a new one by clicking on New Policy.
  4. From Android > Security, select Certificates and click on Configure.
  5. Configure the following option, if necessary:
    • Remove all user installed trusted credentials: Check this option to remove all the trusted CA certificates installed by the user and thereby avoid any malicious certificates. Enabling this option will not remove any system CA certificates and certificates installed via the policy. This option is disabled by default.
  6. Click on Add Certificate and upload the credential certificate.

The certificate will have the following credentials.

  • Credential Name: This field becomes visible once the certificate has been uploaded. It will be already filled. However, you can change the name if required. This name is merely to identify the certificate.
  • Keystore: It specifies the purpose for which the certificate is used. It can take any of the following three options:
    1. Default: This allows the certificate to be used for any purpose within the device.
    2. Wi-Fi: This allows the certificate to be used as identity certificate for Wi-Fi.
    3. VPN and APPS: This allows the certificate to be used as VPN credentials or for authenticating app communications.


    Keystore is valid only for silent installation of the certificates.

  • Credential details: It includes the certificate details such as Subject, Issuer and Expiry date.

  • Certificates with extensions .p12 and .cer will be installed silently.
  • For certificates with .p12 extensions, a password will also be available along with the certificate. This password must be provided along with the uploaded certificates.
  • If the password provided is correct, then silent installation takes place. However, if the password is incorrect, you may have to manually install the certificate.
  • The certificates installed from the Hexnode console can be used either with the Android applications or to authenticate the device for establishing a VPN connection.

Associate Policies with Devices / Groups

If the policy has not yet been saved:

  1. Navigate to Policy Targets.
  2. Click on +Add Devices.
  3. Select the devices and click OK.
  4. Click on Save to apply the policies to devices.

Apart from devices, you can also associate the policies with device groups, users, user groups, and domains from Policy Targets.

If the policy has been saved, you can associate it with another method.

  1. From Policies, check the policies to be associated.
  2. Click on Manage → Associate Targets and select the device.
  3. Click on Associate to apply policy to the devices.

After importing the certificate to the policy, you may use the edit action to modify the Credential Name, Keystore and Passcode values. It will be reflected across the target devices once the policy is saved.
deploy certificates to Android devices and edit certificate attributes

  • Managing Android Devices