Process flow: Certificate enrollment using a PKI connector
![Process flow for certificate enrollment using a PKI connector](/content/docs-blackberry-com/en/endpoint-management/blackberry-dynamics/pki-connector/Using-a-PKI-Connector-to-implement-custom-requirements-when-UEM-retrieves-certificates-for-BlackBerry-Dynamics-apps/Process-flow--Certificate-enrollment-using-a-PKI-Connector/_jcr_content/contentnode/concept/conbody/p0/image/PKI_workflow.png/_jcr_content/renditions/original)
- TheBlackBerry UEMadministrator creates and configures a user credential profile to obtain client certificates forBlackBerry Dynamicsapps from the enterprise CA using the organization’s PKI connector. The administrator assigns the profile to the user.
- The user installs and activates aBlackBerry Dynamicsapp. TheBlackBerry Dynamics Runtimesends a request toUEMfor a PKI certificate.
- UEMcalls the PKI connector to request the certificate.
- The PKI connector carries out any custom logic that the organization requires (for example, a user password, smart card authentication, or monitoring of certificate requests) and requests the certificate from the enterprise CA.
- The CA provides the certificate (key-pair) to the PKI connector.
- The PKI connector provides the certificate toUEM.
- UEMprovides the certificate to theBlackBerry Dynamicsapp.
- The app receives the certificate and uses it for different purposes, for example, to authenticate with the server when prompted, or to sign an email or document.