Import a new SSL certificate into the web keystores

When you install BlackBerry Enterprise Service 10, the setup application generates and stores an SSL certificate in two password-protected keystore files: as.web.keystore and ncc.web.keystore. You can import a new SSL certificate or a trusted certificate that a CA signs into both keystores.

The SSL certificate used by the Administration Console (also known as the Universal Device Service administration console) is stored in a separate key store. If you want to import a new SSL certificate for the Administration Console, visit www.blackberry.com/go/kbhelp to read article KB31084.

Before you begin:

• Generate or obtain a self-signed SSL certificate or a trusted certificate that a CA signs. The certificate must be in a keystore format (.jks, .pfx, .pkcs12). If you configure a BlackBerry Administration Service pool, you must generate an SSL certificate that uses the name of the BlackBerry Administration Service pool. You can find the pool name in the BES10 Configuration Tool.
• The SSL certificate must use the alias "httpssl".
• Add the FQDN of each computer that hosts the BlackBerry Web Services to the certificate's Subject Alternative Name field. This allows you to view information for each Universal Device Service instance in BlackBerry Management Studio after you import the certificate.
• To verify the current password for the keystores, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. Click BlackBerry Administration Service and check the Security settings section.

After you finish:

• Restart any computers that host the BlackBerry Enterprise Service 10 administration consoles.
• Restart any computers that host the BlackBerry Enterprise Service 10 core components.