Using Personal Information Exchange files Skip Navigation

Using Personal Information Exchange files

An organization can deploy corporate services that require two-way SSL/TLS authentication for users. A user is issued a password-protected Personal Information Exchange file (PKCS12 format, .p12 or .pfx) containing an SSL/TLS client certificate and a private key. This file can be provided to
BlackBerry Dynamics
apps to grant access to secure corporate services.
The
BlackBerry Dynamics SDK
supports the use of Personal Information Exchange files to authenticate
BlackBerry Dynamics
apps and to access secure services. All of the required operations to support client certificates are carried out by the
BlackBerry Dynamics Runtime
, with no additional programming required to handle the authentication challenge. For more information on how this is handled, refer to
HttpViewController.swift
in the Dynamics-iOS-Swift sample app. The app can use client certificates if:
After a user activates a
BlackBerry Dynamics
app, the app receives the Personal Information Exchange files. For each file, the user is prompted to provide the issued password so that the files and identification material can be installed. When this process is complete, the app can access the server resources that require two-way SSL/TLS authentication.
If more than one Personal Information Exchange file is required per user, the
BlackBerry Dynamics Runtime
selects the appropriate certificate using the following criteria:
  1. Only client certificates that are suitable for SSL/TLS client authentication are eligible to send to the server. Certificates must have no Key Usage or Extended Key Usage, or Key Usage that contains “Digital Signature" or "Key Agreement”, or Extended Key Usage that contains "TLS Web Client Authentication”. Key Usages and Extended Key Usages must not contradict allowances for SSL/TLS client authentication.
  2. If the server advertises the client certificate authority in the SSL/TLS handshake, only client certificates that have been issued by that authority are considered.
  3. Expired certificates and certificates that are not yet valid cannot be selected.
  4. If more than one certificate satisfies the above criteria, the
    BlackBerry Dynamics Runtime
    selects the most recently issued certificate.