BES10 logo
BlackBerry Enterprise Service 10 version 10.2
 

Create a client certificate profile for SCEP

You can use a client certificate profile for SCEP to specify how devices obtain certificates from your organization's CA. SCEP is a protocol that is used to automate the submission of certificate requests to a SCEP service and issue client certificates to supported devices. Devices use the certificates to authenticate with your organization's servers.

Android devices do not support SCEP.

Before you begin: If you want the Universal Device Service to use a dynamic password obtained from an external SCEP service, configure the external SCEP settings. For instructions, see Configure the external SCEP settings.
  1. On the menu bar, click Library.
  2. In the Shared certificate pane, click the + icon.
  3. In the Certificate name field, type a name for the profile.
  4. In the Certificate description field, type a description for the profile.
  5. In the Certificate source drop-down list, click SCEP.
  6. If the certificates need a subject alternative name, perform the following actions:
    1. In the Alternative subject name type drop-down list, click the appropriate type.
    2. In the Alternative representation of the certificate subject field, type the subject alternative name. The value must be an email address, the DNS name of the CA server, or the fully qualified URL of the server.
    3. In the NT principal name for certificate generation field, type the user principal name.
  7. If your CA uses HTTP instead of HTTPS, in the Fingerprint for enrolling a SCEP certificate field, paste the CA certificate fingerprint. Devices use the fingerprint to confirm the identity of the CA during the enrollment process.
  8. If you want to permit users to use the certificate for digital signatures, select the Use the generated certificate for digital signatures check box.
  9. If you want to permit users to use the certificate for encryption, select the Use the generated certificate for key encipherment check box.
  10. In the Key size for certificate generation field, type the key size. The default value is 1024.
  11. If necessary for your organization's SCEP configuration, in the Subject field, type CN=<common_name>,O=<domain_name>.
  12. If you want to permit devices to retry the server connection if the first attempt fails, perform the following actions:
    1. Select the Retry SCEP connection check box.
    2. In the Number of times SCEP connection should be retried field, type the type the number of times that devices can try to connect.
    3. In the Time in seconds before the SCEP connection should be retried field, type number of seconds that devices should wait between each attempt.
  13. If you want to proxy SCEP requests from devices through the Universal Device Service, select the Proxy SCEP requests through the Universal Device Service check box.
  14. In the SCEP server configuration type drop-down list, perform one of the following actions:
    • If you want the system to use the external SCEP settings that you configured, click External.
    • If you want to specify the SCEP settings, click Defined.
  15. If you selected Defined in step 14, perform the following actions:
    1. In the CA-IDENT attribute of the SCEP configuration field, type the name of the CA.
    2. In the Pre-shared secret type to use in certificate generation drop-down list, click None or Plain text. If you select Plain text, type the pre-shared secret.
    3. In the Base URL of the SCEP server field, type the URL of the SCEP server.
  16. Click Save.
Last updated: 2015-02-23
©2015 BlackBerry. All Rights Reserved. | Glossary