Managing an enrolled certificate
After a BlackBerry® device enrolls a certificate, the CA Profile Manager monitors the certificate's expiry date and revocation status. When the expiry date approaches or the certification authority revokes the certificate, the CA Profile Manager generates a new public-private key pair, and starts the certificate enrollment process for a new certificate.
The certificate enrollment process can also start again if you change the following IT policy rules and resend the IT policy:
- Certificate Authority Profile Name
- Certificate Authority Type
- Certificate Authority Host
- Common Name Components
- Custom Microsoft Certificate Authority Certificate Template
- Distinguished Name Components
- Key Algorithm
- Key Length
- Microsoft Certificate Authority Certificate Template
- RSA Certificate Authority Certificate ID
- RSA Jurisdiction ID
A certificate enrollment process does not delete the existing certificate from the device key store or notify the certification authority that the certificate is no longer in use. The BlackBerry® Enterprise Server deletes the existing certificate from the BlackBerry Configuration Database when the certificate enrollment process starts for a new certificate.
Also, if a certificate is expired or revoked, you or a BlackBerry device user can update the certificates on the device using the certificate synchronization tool in the BlackBerry® Desktop Software or by copying an updated certificate from a media card or smart card.
For more information about deleting or revoking certificates, see the user guide for the device.