Skip Navigation

Create a certificate retrieval profile

  • To allow devices to trust LDAP certificate servers when they make secure connections, you might need to distribute CA certificates to devices. If necessary, create CA certificate profiles and assign them to user accounts, user groups, or device groups. For more information about CA certificates, see Sending CA certificates to devices.
  • If you implement
    Kerberos
    authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about single sign-on profiles, see Setting up single sign-on authentication for devices.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > Certificate retrieval
    .
  3. Click .
  4. Type a name and description for the certificate retrieval profile.
  5. In the table, click .
  6. In the
    Service URL
    field, type the FQDN of an LDAP certificate server using the format ldap://
    <fqdn>
    :
    <port>
    . (For example, ldap://server01.example.com:389).
  7. In the
    Search base
    field, type the base DN that is the starting point for LDAP certificate server searches.
  8. In the
    Search scope
    drop-down list, perform one of the following actions:
    • To search the base object only (base DN), click
      Base
      . This option is the default value.
    • To search one level below the base object, but not the base object itself, click
      One level
      .
    • To search the base object and all levels below it, click
      Subtree
      .
    • To search all levels below the base object, but not the base object itself, click
      Children
      .
  9. If authentication is required, perform the following actions:
    1. In the
      Authentication type
      drop-down list, click
      Simple
      or
      Kerberos
      .
    2. In the
      LDAP user ID
      field, type the DN of an account that has search permissions on the LDAP certificate server (for example, cn=admin,dc=example,dc=com).
    3. In the
      LDAP password
      field, type the password for the account that has search permissions on the LDAP certificate server.
  10. If necessary, select the
    Use secure connection
    check box.
  11. In the
    Connection timeout
    field, type the amount of time, in seconds, that the device waits for the LDAP certificate server to respond.
  12. Click
    Add
    .
  13. Repeat steps 5 to 11 for each LDAP certificate server.
  14. Click
    Add
    .
  • To allow
    BlackBerry 10
    devices to check certificate status, create an OCSP or CRL profile.
  • If necessary, rank profiles.