Home » Security » Enrolling certificates

Enrolling certificates

Configuring BlackBerry devices to enroll certificates over the wireless network

You can configure the BlackBerry® Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing users to send the certificates to themselves in an email message or use the certificate synchronization tool in the BlackBerry® Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates, you can control how users request certificates and which certification authority issues the certificates.

For example, you might want Wi-Fi® enabled BlackBerry devices to enroll certificates so that they can authenticate to an enterprise Wi-Fi network.

You can enroll certificates from one of the following certification authorities:

RSA® certification authority
Microsoft® standalone certification authority
Microsoft enterprise certification authority

During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate includes an email address in the subject DN. The BlackBerry MDS Connection Service verifies the certificate by checking if the email address in the subject DN of the certificate matches the email address that is assigned to the device. For more information about the enrollment process, see the BlackBerry Enterprise Solution Security Technical Overview.

You can make the certificate enrollment process required so that devices automatically start the certificate enrollment process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do not make the certificate enrollment process required, you must instruct users to start the CA Profile Manager on the devices manually.

Configure the certificate information using IT policies

You must configure the certificate information that BlackBerry® devices can use to create certificate requests so that the certificate enrollment process can occur.

If you configured the BlackBerry MDS Connection Service to retrieve the status of the certificates using an OCSP server or a CRL server and pull authorization is turned on, devices may not be able to enroll some certificates over the mobile network. The devices might not be able to enroll some certificates because, devices that initiate the request to the web addresses follow pull authorization rules that restrict access to some of the web addresses for OCSP servers and CRL servers.

In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
Click Manage IT policies.
Click an IT policy.
Click Edit IT policy.
On the Certificate Authority Profile tab, change the appropriate values for the IT policy rules.
Click Save All.

After you finish: For more information about the IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.

Related information

Assigning IT policies and resolving IT policy conflicts

Configure the BlackBerry MDS Connection Service to connect to the certificate authority

If your organization's environment includes a Microsoft® enterprise certification authority, the certification authority requires Windows® authentication, and a certification authority administrator must approve certificate requests, you must configure the BlackBerry® MDS Connection Service with the server name of the certification authority and the certification authority credentials so that the BlackBerry MDS Connection Service can send certificate requests to the certification authority.

Before you begin: Create a custom template on the certification authority that does not permit the subject name to originate from information in Microsoft® Active Directory®.

In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the HTTP tab, in the Name field, type the certificate authority name.
In the Service URL field, type the URL that the BlackBerry MDS Connection Service can use to send certificate requests to the certification authority using the following format: http://<FQDN_of_CA_server>:<port_number>/* (for example, http://myca.mycompany.com:80/*). Use <port_number>/* to make sure that the BlackBerry MDS Connection Service can access all the URLs for the certification authority.
In the Settings section, in the User name field, type the name of a certification authority administrator account that can approve certificate requests using one of the following formats: domain\username or domain@username.
In the Password and Confirm password fields, type the password for the certification authority administrator account.
Click the Add icon.
Click Save all.

After you finish:

Write down the URL for the certification authority that you typed in the Service URL field. You must add the <FQDN_of_CA_server> that you configured in step 5 to the Certificate Authority Host IT policy rule, and the <port_number> that you configured in step 5 to the Certificate Authority Port IT policy rule.
Add the certification authority information to a BlackBerry MDS Connection Service configuration set.

Add communication information to a BlackBerry MDS Connection Service configuration set

A BlackBerry® MDS Connection Service configuration set is a set of service configurations that the BlackBerry MDS Connection Service instances in your organization can use to communicate with a remote file system, an LDAP server, a DSML server, a CRL server, an OCSP server, or a certification authority. You must add the communication information that the BlackBerry MDS Connection Service requires to communicate with servers to a configuration set so that a BlackBerry MDS Connection Service instance can communicate with the servers after you assign the configuration set to the instance.

In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click Edit component.
On the Configuration Sets tab, perform one of the following actions:
- To create a configuration set, in the Configuration set name section, type a name and description for the configuration set.
- To change an existing configuration set, click the Edit icon.
In the Priority Service group drop-down list, click the name of the service that you want to configure the communication method for.
In the Service (Name : Description) drop-down list, click the name of the communication method that you want to configure.
Click the Add icon.
To specify the communication method that the BlackBerry MDS Connection Service should try to connect to the server with first , click the Up and Down arrows. The BlackBerry MDS Connection Service resolves conflicts by applying communication methods in the order that you specify. The order of that you specify for LDAP, DSML, or file communication applies to each communication method separately. The order permits the BlackBerry MDS Connection Service to resolve conflicts between domains if you created multiple communication methods for a specific URL.
Perform one of the following actions:
- To add a new configuration set, click the Add icon.
- To update an existing configuration set, click the Update icon.
Click Save all.

After you finish:

To confirm your changes, click the View icon.
Assign the configuration set to a BlackBerry MDS Connection Service.

Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance

You can assign a BlackBerry® MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance so that BlackBerry device users can access documents on remote file systems from devices, the BlackBerry MDS Connection Service can search for certificates and check for the status of the certificates from LDAP servers, DSML servers, CRL servers, or OCSP servers, and the BlackBerry MDS Connection Service can send certificate requests to a certificate authority.

In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
Click MDS Connection Service.
Click the instance that you want to change.
Click Edit instance.
On the Component Configuration Sets tab, in the Available component configuration sets section, in the Service configuration sets drop-down list, click the configuration set that you want to assign to the BlackBerry MDS Connection Service instance.
Click Save all.
To restart the BlackBerry MDS Connection Service instance, on the Instance information tab, in the Status list, click Restart instance.
To assign the BlackBerry MDS Connection Service configuration set to another BlackBerry MDS Connection Service instance, repeat steps 3 to 7.

Related information

Restarting BlackBerry Enterprise Server components

Add certificate information to a Wi-Fi profile

You must add the name of the certification authority profile that contains certificate information to a Wi-Fi® profile. The name of the certification authority profile is required so that the certificate enrollment process can create a certificate that the BlackBerry® device uses for Wi-Fi authentication. You can find the name of the certification authority profile in the Certificate Authority Profile Name IT policy rule.

In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi profile that you want to change.
Click Edit profile.
On the Wi-Fi profile settings tab, in the Associated Certificate Authority Configuration field, type the name of the certification authority profile.
Click Save All.

After you finish:

Assign the Wi-Fi profile to a user account.
Assign the IT policy that includes the certificate information to the user account.
Send the IT policy to the device.

Managing an enrolled certificate

After a BlackBerry® device enrolls a certificate, the CA Profile Manager monitors the certificate's expiry date and revocation status. When the expiry date approaches or the certification authority revokes the certificate, the CA Profile Manager generates a new public-private key pair, and starts the certificate enrollment process for a new certificate.

The certificate enrollment process can also start again if you change the following IT policy rules and resend the IT policy:

Certificate Authority Profile Name
Certificate Authority Type
Certificate Authority Host
Common Name Components
Custom Microsoft Certificate Authority Certificate Template
Distinguished Name Components
Key Algorithm
Key Length
Microsoft Certificate Authority Certificate Template
RSA Certificate Authority Certificate ID
RSA Jurisdiction ID

A certificate enrollment process does not delete the existing certificate from the device key store or notify the certification authority that the certificate is no longer in use. The BlackBerry® Enterprise Server deletes the existing certificate from the BlackBerry Configuration Database when the certificate enrollment process starts for a new certificate.

Also, if a certificate is expired or revoked, you or a BlackBerry device user can update the certificates on the device using the certificate synchronization tool in the BlackBerry® Desktop Software or by copying an updated certificate from a media card or smart card.

For more information about deleting or revoking certificates, see the user guide for the device.