Installing an SSL certificate for the Communication Module
When you install BlackBerry Enterprise Service 10, the setup application generates a certificate for the Communication Module. You can also replace the default certificate with one that is issued by a CA and is already trusted by iOS devices and Android devices.
When users activate devices, before they enter their usernames and passwords, the BES12 Client prompts them to accept or decline the SSL certificate for the Communication Module. The prompt includes information about the SSL certificate including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If users click Accept, the certificate is installed on the devices, and the activation process continues. If users click Decline, they are returned to the previous activation screen.
If you do not replace the default SSL certificate, or if you install a certificate that is not signed by a CA that the device trusts, the certificate is displayed in the user prompt as untrusted. To ensure that the user accepts a certificate for a valid server, you can ask users to compare the certificate information displayed in the prompt with information that you send to users in the activation email. If the information matches, users can accept the untrusted certificate and proceed with the activation process. Alternatively, you can ask users to install the untrusted certificate on their devices as a trusted root certificate before they activate their devices. Users can download the SSL certificate to their devices from an internal website that is created when you install BlackBerry Enterprise Service 10 (<BSCAddress>/<SRPID>/<ca>). If users install the untrusted certificate before activating their devices, the certificate is displayed in the prompt as trusted.
If you replace the default SSL certificate with a certificate that is signed by a trusted CA, the certificate is displayed in the prompt as trusted.