Managing SCEP profiles
You can use SCEP profiles to specify settings for enrolling certificates to devices. SCEP profiles can be associated with Wi-Fi profiles, VPN profiles, and email profiles. Devices can use the certificates obtained using SCEP for certificate-based authentication with a work Wi-Fi network, work VPN, or work messaging server.
Certificate enrollment using SCEP starts after the device receives the SCEP profile that you configure using the BlackBerry Device Service. The device can download CA profiles during the activation process, when you change a SCEP profile, or when you assign another SCEP profile to a user account.
After the certificate enrollment completes, the client certificate and its certificate chain and private key are stored in the work keystore on the device. The SCEP component monitors the expiry date of any certificate that was obtained using SCEP. When the expiry date of a certificate approaches, the SCEP component starts the certificate enrollment process for a new certificate. You can use the Automatic Renewal SCEP profile setting to configure how many days before the certificate expires that automatic renewal occurs.
- Certification Authority Identifier
- Certificate Thumbprint
- ECC Strength
- Key Algorithm
- RSA Strength
A certificate enrollment process does not delete the existing certificate from the device or notify the CA that the certificate is no longer in use. If a SCEP profile is removed from the BlackBerry Device Service, the corresponding certificate is not removed from the device.
For more information about the profile settings, see SCEP profile settings.