Skip Navigation

Create a user credential profile to connect to your organization's PKI software

  • Contact your organization’s 
    Entrust
     or 
    OpenTrust
     administrator to confirm which PKI profile you should select. 
    BlackBerry UEM
     obtains a list of profiles from the PKI software.
  • Ask the 
    Entrust
     or 
    OpenTrust
     administrator for the profile values that you must provide. For example, the values for device type (devicetype), 
    Entrust IdentityGuard
     group (iggroup), and 
    Entrust IdentityGuard
     username (igusername).
  • If your organization’s 
    OpenTrust
     system is configured to return Escrowed Keys only, the 
    OpenTrust
     administrator must verify that certificates are present for each user in the 
    OpenTrust
     system. Assigning a user credential profile to users in 
    BlackBerry UEM
     does not automatically create certificates for users in 
    OpenTrust
    . In this scenario, a user credential profile can only distribute certificates to users who have an existing certificate in the 
    OpenTrust
     system.
  1. On the menu bar, click 
    Policies and Profiles
    .
  2. Click 
    Certificates > User credential
    .
  3. Click  .
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the 
    Certification authority connection
     drop-down list, click the 
    Entrust
     or 
    OpenTrust
     connection that you configured.
  6. In the 
    Profile
     drop-down list, click the appropriate profile.
  7. Specify the values for the profile.
  8. If necessary, you can specify a SAN type and value for an 
    Entrust
     client certificate.
    1. In the SAN table, click  .
    2. In the 
      SAN type
       drop-down list, click the appropriate type.
    3. In the 
      SAN value
       field, type the SAN value.
      If the SAN type is set to "RFC822 name," the value must be a valid email address. If it is set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If it is set to "NT principal name," the value must be a valid principal name. If it is set to "DNS name," the value must be a valid FQDN.
  9. Specify the 
    Renewal period
     for the certificate. The period can be between 1 and 120 days.
  10. If 
    BlackBerry 10
     devices use the client certificate to encrypt email messages using S/MIME, and you want devices to retain access to expired certificates so that users can open older email messages, select the 
    Include certificate history
     check box.
  11. Click 
    Add
    .
  • If devices use client certificates to authenticate with a 
    Wi-Fi
     network, VPN, or mail server, associate the user credential profile with a 
    Wi-Fi
    , VPN, or email profile.
  • Assign the profile to user accounts and user groups. 
    Android
     users are prompted to enter a password when they receive the profile (the password is displayed on the screen).