Process flow: Enrolling a certificate when the certification authority approves certificate requests automatically

After a BlackBerry® device receives an IT policy that includes a certification authority profile, the enrollment process can start automatically, or you can instruct a user to start it. This process flow assumes that the certification authority in your organization's environment is a Microsoft® enterprise certification authority.

  1. The CA Profile Manager on the BlackBerry device generates the key pair for the certificate.
  2. The BlackBerry MDS Connection Service authenticates the user.
  3. The BlackBerry device requests the user's distinguished name from the BlackBerry® Enterprise Server.
  4. The BlackBerry Enterprise Server retrieves the user's distinguished name from the messaging server and sends the distinguished name to the BlackBerry device.
  5. The BlackBerry device encrypts the key pair, and stores the key pair, distinguished name, and profile ID for the certification authority in the persistent store in flash memory.
  6. The CA Profile Manager creates the PKCS #10 certificate request, and signs it with the private key.
  7. The BlackBerry device sends the certificate request, profile ID for the certification authority, and Windows® login information to the BlackBerry MDS Connection Service.
  8. The BlackBerry MDS Connection Service performs one of the following actions:
    • sends the certificate chain to the BlackBerry Enterprise Server if the certificate chain is in the BlackBerry MDS Connection Service cache
    • retrieves the certificate chain from the certification authority and sends it to the BlackBerry Enterprise Server if the certificate chain is not in the BlackBerry MDS Connection Service cache
  9. The BlackBerry Enterprise Server sends the certificate chain to the BlackBerry device.
  10. The BlackBerry MDS Connection Service sends a status update to the BlackBerry device and sends the certificate request to the certification authority that is associated with the profile ID.
  11. The certification authority issues the certificate, publishes it to the LDAP server, and notifies the BlackBerry MDS Connection Service that the certificate is available.
  12. The BlackBerry MDS Connection Service performs the following actions:
    1. retrieves the certificate from the LDAP server that the certification authority publishes the certificate to
    2. sends the certificate to the BlackBerry Enterprise Server
  13. The BlackBerry Enterprise Server performs the following actions:
    1. verifies the certificate by checking whether the public key matches the public key that is stored in the BlackBerry Configuration Database
    2. sends the certificate to the BlackBerry device over the wireless network
  14. The BlackBerry device adds the certificate and private key to the key store.

Was this information helpful? Send us your comments.