Configuring BlackBerry devices to enroll certificates over the wireless network
You can configure the BlackBerry Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing users to send the certificates to themselves in an email message or use the certificate synchronization tool in the BlackBerry Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates, you can control how users request certificates and which certification authority issues the certificates.
For example, you might want Wi-Fi enabled BlackBerry devices to enroll certificates so that they can authenticate to an enterprise Wi-Fi network.
You can enroll certificates from one of the following certification authorities:
- RSA certification authority
- Microsoft standalone certification authority
- Microsoft enterprise certification authority
During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate includes an email address in the subject DN. The BlackBerry MDS Connection Service verifies the certificate by checking if the email address in the subject DN of the certificate matches the email address that is assigned to the device. For more information about the enrollment process, see the BlackBerry Enterprise Solution Security Technical Overview.
You can make the certificate enrollment process required so that devices automatically start the certificate enrollment process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do not make the certificate enrollment process required, you must instruct users to start the CA Profile Manager on the devices manually.