Create a user credential profile to connect to your organization's PKI software
User credential profiles that connect to your organization's PKI software can enroll certificates for
BlackBerry 10 OSversion 10.3.1 and later devices. If the connection is to
EntrustPKI software, the user credential profile can also enroll certificates for
BlackBerry UEMdoesn't support key history for certificates issued to
- Contact your organization’sEntrustorOpenTrustadministrator to confirm which PKI profile you should select.BlackBerry UEMobtains a list of profiles from the PKI software.
- Ask theEntrustorOpenTrustadministrator for the profile values that you must provide. For example, the values for device type (devicetype),Entrust IdentityGuardgroup (iggroup), andEntrust IdentityGuardusername (igusername).
- If your organization’sOpenTrustsystem is configured to return Escrowed Keys only, theOpenTrustadministrator must verify that certificates are present for each user in theOpenTrustsystem. Assigning a user credential profile to users inBlackBerry UEMdoes not automatically create certificates for users inOpenTrust. In this scenario, a user credential profile can only distribute certificates to users who have an existing certificate in theOpenTrustsystem.
- On the menu bar, clickPolicies and Profiles.
- ClickCertificates > User credential.
- Click .
- Type a name and description for the profile. Each certificate profile must have a unique name.
- In theCertificate authority connectiondrop-down list, select theEntrustorOpenTrustconnection that you configured.
- In theProfiledrop-down list, click the appropriate profile.
- Specify the values for the profile.
- If necessary, you can specify a SAN type and value for anEntrustclient certificate.
- In the SAN table, click .
- In theSAN typedrop-down list, click the appropriate type.
- In theSAN valuefield, type the SAN value.If the SAN type is set to "RFC822 name," the value must be a valid email address. If it is set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If it is set to "NT principal name," the value must be a valid principal name. If it is set to "DNS name," the value must be a valid FQDN.
- Specify theRenewal periodfor the certificate. The period can be between 1 and 120 days.
- IfBlackBerry 10devices use the client certificate to encrypt email messages using S/MIME, and you want devices to retain access to expired certificates so that users can open older email messages, select theInclude certificate historycheck box.
- If devices use client certificates to authenticate with aWi-Finetwork, VPN, or mail server, associate the user credential profile with aWi-Fi, VPN, or email profile.
- Assign the profile to user accounts and user groups.Androidusers are prompted to enter a password when they receive the profile (the password is displayed on the screen).