Using a PKI connector to implement custom certificate requirements
BlackBerry UEMcan connect to a CA to obtain a certificate and send it to a client
BlackBerry Dynamicsapp for authentication (for example,
Entrustor PKI connections), or it can assist the client app in retrieving the certificate directly from a CA (for example, using SCEP to retrieve a PKCS12 file).
BlackBerry DynamicsUser Certificate Management protocol to fetch and enroll a certificate when the
BlackBerry Dynamics Runtimemakes a request for the certificate. The protocol runs over HTTPS and defines JSON-formatted messages. This document details the administrator actions involved in this process and the APIs that
UEMuses to execute it. The APIs are supported by
UEMversion 12.10 or later or
BlackBerry UEM Cloud, and are available to
BlackBerry Dynamicsapps that use the
BlackBerry Dynamics SDKversion 2.1 or later.
BlackBerry UEM Cloudenvironment, if the PKI connector is behind a firewall, you must have a
BlackBerry Connectivity Nodeinstalled to allow
UEMto communicate with the PKI connector through the
BlackBerry Cloud Connector.
If you want to implement specific requirements or procedures when a certificate is retrieved from a CA (for example, if a user’s password or smart card authentication is required), you can establish a back-end server that implements this protocol and the associated APIs to accept a request from
UEMand interface with your enterprise CA. This server is called a PKI connector. When a
BlackBerry Dynamicsapp makes a certificate request to
UEMcalls your PKI connector to interface with your CA and apply any required processes to retrieve and provide the certificate.
UEMmay already support your CA solution, so establishing a PKI connector may not be required. For more information about the CA solutions that
UEMsupports, see Sending CA certificates to devices and apps in the
A sample implementation of a PKI connector is described in the PKI connector sample implementation section of this guide. Your organization’s developers can use the API documentation in this guide and the sample implementation (a .zip package) to establish a PKI connector that can interact with