Process flow: Enrolling a certificate using an RSA certification authority

After a BlackBerry® device receives an IT policy that includes a certification authority profile, the enrollment process can start automatically or you can instruct a user to start it.

  1. The CA Profile Manager on the BlackBerry device generates the key pair for the certificate.
  2. The BlackBerry device requests the user's distinguished name from the BlackBerry® Enterprise Server.
  3. The BlackBerry Enterprise Server retrieves the user's distinguished name from the messaging server and sends the distinguished name to the BlackBerry device.
  4. The BlackBerry device encrypts the key pair, and stores the key pair, distinguished name, and profile ID for the certification authority in the persistent store in flash memory.
  5. The CA Profile Manager creates the PKCS #10 certificate request and signs it with the private key.
  6. The BlackBerry device sends the certificate request and the name of the certification authority profile to the BlackBerry MDS Connection Service.
  7. The BlackBerry MDS Connection Service performs one of the following actions:
    • sends the certificate chain to the BlackBerry Enterprise Server if the certificate chain is in the BlackBerry MDS Connection Service cache
    • retrieves the certificate chain from the certification authority and sends it to the BlackBerry Enterprise Server if the certificate chain is not in the BlackBerry MDS Connection Service cache
  8. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device.
  9. The BlackBerry MDS Connection Service sends a status update to the BlackBerry device and sends the certificate request to the certification authority that is associated with the name of the certification authority profile.
  10. The certification authority performs the following actions:
    1. waits for the certification authority administrator to approve the certificate request
    2. after the certification authority administrator approves the certificate request, issues the certificate, and sends the URL for the certificate in an email message to the user
  11. The BlackBerry Messaging Agent receives the email message and extracts the issue ID of the message from the URL and stores it in the BlackBerry Configuration Database.
  12. The BlackBerry MDS Connection Service performs the following actions:
    1. polls the BlackBerry Configuration Database every 5 minutes for the issue ID of the message, reconstructs the URL, and sends the URL to the certification authority to retrieve the certificate
    2. sends the certificate to the BlackBerry Enterprise Server after retrieving the certificate
  13. The BlackBerry Enterprise Server perfoms the following actions:
    1. verifies the certificate by checking whether the public key matches the public key that is stored in the BlackBerry Configuration Database
    2. sends the certificate to the BlackBerry device over the wireless network
  14. The BlackBerry device adds the certificate and private key to the key store.

Was this information helpful? Send us your comments.