Managing an enrolled certificate
After a BlackBerry device enrolls a certificate, the CA Profile Manager monitors the certificate's expiry date and revocation status. When the expiry date approaches or the certification authority revokes the certificate, the CA Profile Manager generates a new public-private key pair, and starts the certificate enrollment process for a new certificate.
The certificate enrollment process can also start again if you change the following IT policy rules and resend the IT policy:
- Certificate Authority Profile Name
- Certificate Authority Type
- Certificate Authority Host
- Common Name Components
- Custom Microsoft Certificate Authority Certificate Template
- Distinguished Name Components
- Key Algorithm
- Key Length
- Microsoft Certificate Authority Certificate Template
- RSA Certificate Authority Certificate ID
- RSA Jurisdiction ID
A certificate enrollment process does not delete the existing certificate from the device key store or notify the certification authority that the certificate is no longer in use. The BlackBerry Enterprise Server deletes the existing certificate from the BlackBerry Configuration Database when the certificate enrollment process starts for a new certificate.
Also, if a certificate is expired or revoked, you or a BlackBerry device user can update the certificates on the device using the certificate synchronization tool in the BlackBerry Desktop Software or by copying an updated certificate from a media card or smart card.
For more information about deleting or revoking certificates, see the user guide for the device.