Security Technical Overview

Local Navigation

Managing an enrolled certificate

After a BlackBerry® device enrolls a certificate, the CA Profile Manager monitors the certificate's expiry date and revocation status. When the expiry date approaches or the certification authority revokes the certificate, the CA Profile Manager generates a new public-private key pair, and starts the certificate enrollment process for a new certificate.

The certificate enrollment process can also start again if you change the following IT policy rules and resend the IT policy:

  • Certificate Authority Profile Name
  • Certificate Authority Type
  • Certificate Authority Host
  • Common Name Components
  • Custom Microsoft Certificate Authority Certificate Template
  • Distinguished Name Components
  • Key Algorithm
  • Key Length
  • Microsoft Certificate Authority Certificate Template
  • RSA Certificate Authority Certificate ID
  • RSA Jurisdiction ID

A certificate enrollment process does not delete the existing certificate from the device key store or notify the certification authority that the certificate is no longer in use. The BlackBerry® Enterprise Server deletes the existing certificate from the BlackBerry Configuration Database when the certificate enrollment process starts for a new certificate.

Also, if a certificate is expired or revoked, you or a BlackBerry device user can update the certificates on the device using the certificate synchronization tool in the BlackBerry® Desktop Software or by copying an updated certificate from a media card or smart card.

For more information about deleting or revoking certificates, see the user guide for the device.

Was this information helpful? Send us your comments.