Skip Navigation

Configure the Certificate Directory Lookup

The Certificate Directory Lookup service retrieves S/MIME digital certificates from the user's
Microsoft Active Directory
. These certificates enable email encryption and signature functionality in
BlackBerry Work
apps. For more information about configuring and using S/MIME on devices, see the
BlackBerry Work
Tasks, and Notes Administration Guide
.
  1. In the
    BlackBerry Enterprise Mobility Server Dashboard
    , under
    BlackBerry Services Configuration
    , click
    Mail
    .
  2. Click
    Certificate Directory Lookup
    .
  3. Optionally, select the
    Include expired certificates in results
    checkbox.
  4. By default, the
    Enable Contact Lookup
    checkbox and
    Enable GAL Lookup
    checkbox are selected. If you clear the
    Enable GAL Lookup
    checkbox, users can't send encrypted email messages to public distribution lists and private or personal distribution lists (for example, distribution lists in the user’s contact folder).
  5. Optionally, select the
    Enable LDAP Lookup
    checkbox to use LDAP lookup to validate digital certificate connections to the LDAP server.
    1. In the
      LDAP Server Name
      field, type the name of the LDAP Server. For example, ldap.<
      DNS_domain_name
      >.
    2. In the
      LDAP Server port
      field, type the port number of the LDAP Server. By default, the port number is 389.
    3. Optionally, select the
      Enable SSL LDAP
      checkbox to tunnel data through an SSL-encrypted connection. If you enable SSL LDAP, the port number defaults to 636. This step requires you to import the LDAP certificate chain into the
      BEMS
      dashboard. For instructions, see "Upload the SSL certificate to the BEMS database" in the BEMS-Core configuration content.
    4. Optionally, edit the
      LDAP User Name Query Template
      field. The LDAP user name query searches for a user by their user name.
      BEMS
      replaces the "{key}" with the user name when performing the query. The default template is
      (&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    5. Optionally, in the
      LDAP Base DN
      field, provide a base DN for the LDAP search.
      BEMS
      will try to find the base DN in the namingContexts attribute if this entry is not set. If this field is not completed,
      BEMS
      tries to find the base DN in the namingContexts attribute.
    6. In the
      Authentication Type
      drop-down list, select an authentication type. By default, the Authentication Type is Anonymous.
      • If you select
        Basic
        , enter the LDAP Logon User name and password. In a
        Microsoft Active Directory
        environment, enter the username in the format
        domain\username
        or User Principal Name (UPN)
        username@domain
        .
      • If you selected the
        Enable SSL LDAP
        checkbox and select
        Client Certificate
        authentication, enter the keystore password and certificate file.
    7. In the
      End User Email Address
      field, type an end-user email address to search for.
    8. Click
      Test
      .
  6. Click
    Save
    .
If you selected
Certificate
authentication, you can view the certificate information. Click
Certificate Directory Lookup
. The following certificate information is displayed:
  • Subject
  • Issuer
  • Validation period
  • Serial number