Skip Navigation

Create a user credential profile to connect to your organization's PKI software

  • Contact your organization’s 
     administrator to confirm which PKI profile you should select. 
    BlackBerry UEM
     obtains a list of profiles from the PKI software.
  • Ask the 
     administrator for the profile values that you must provide. For example, the values for device type (devicetype), 
    Entrust IdentityGuard
     group (iggroup), and 
    Entrust IdentityGuard
     username (igusername).
  • If your organization’s 
     system is configured to return Escrowed Keys only, the 
     administrator must verify that certificates are present for each user in the 
     system. Assigning a user credential profile to users in 
    BlackBerry UEM
     does not automatically create certificates for users in 
    . In this scenario, a user credential profile can only distribute certificates to users who have an existing certificate in the 
  1. On the menu bar, click 
    Policies and Profiles
  2. Click 
    Certificates > User credential
  3. Click  .
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the 
    Certification authority connection
     drop-down list, click the 
     connection that you configured.
  6. In the 
     drop-down list, click the appropriate profile.
  7. Specify the values for the profile.
  8. If necessary, you can specify a SAN type and value for an 
     client certificate.
    1. In the SAN table, click  .
    2. In the 
      SAN type
       drop-down list, click the appropriate type.
    3. In the 
      SAN value
       field, type the SAN value.
      If the SAN type is set to "RFC822 name," the value must be a valid email address. If it is set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If it is set to "NT principal name," the value must be a valid principal name. If it is set to "DNS name," the value must be a valid FQDN.
  9. Specify the 
    Renewal period
     for the certificate. The period can be between 1 and 120 days.
  10. If 
    BlackBerry 10
     devices use the client certificate to encrypt email messages using S/MIME, and you want devices to retain access to expired certificates so that users can open older email messages, select the 
    Include certificate history
     check box.
  11. Click 
  • If devices use client certificates to authenticate with a 
     network, VPN, or mail server, associate the user credential profile with a 
    , VPN, or email profile.
  • Assign the profile to user accounts and user groups. 
     users are prompted to enter a password when they receive the profile (the password is displayed on the screen).