Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.16
  3. Administration
  4. Securing connections using PKI
  5. Sending certificates to devices and apps using profiles
  6. Sending client certificates to devices and apps using user credential profiles
  7. Create a user credential profile to connect to your organization's PKI software

Create a user credential profile to connect to your organization's PKI software

User credential profiles that connect to your organization's PKI software can enroll certificates for
iOS
 and
Android
 devices. If the connection is to
Entrust
 PKI software, the user credential profile can also enroll certificates for
BlackBerry Dynamics
 apps.
BlackBerry UEM
 doesn't support key history for certificates issued to
BlackBerry Dynamics
 apps.
  • Configure a connection to your organization's
    Entrust
     or
    OpenTrust
     software.
  • Contact your organization’s
    Entrust
     or
    OpenTrust
     administrator to confirm which PKI profile you should select.
    BlackBerry UEM
     obtains a list of profiles from the PKI software.
  • Ask the
    Entrust
     or
    OpenTrust
     administrator for the profile values that you must provide. For example, the values for device type (devicetype),
    Entrust IdentityGuard
     group (iggroup), and
    Entrust IdentityGuard
     username (igusername).
  • If your organization’s
    OpenTrust
     system is configured to return Escrowed Keys only, the
    OpenTrust
     administrator must verify that certificates are present for each user in the
    OpenTrust
     system. Assigning a user credential profile to users in
    BlackBerry UEM
     does not automatically create certificates for users in
    OpenTrust
    . In this scenario, a user credential profile can only distribute certificates to users who have an existing certificate in the
    OpenTrust
     system.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > User credential
    .
  3. Click The Add icon.
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the
    Certificate authority connection
     drop-down list, select the
    Entrust
     or
    OpenTrust
     connection that you configured.
  6. In the
    Profile
     drop-down list, click the appropriate profile.
  7. Specify the values for the profile.
  8. If necessary, you can specify a SAN type and value for an
    Entrust
     client certificate.
    1. In the SAN table, click The Add icon.
    2. In the
      SAN type
       drop-down list, click the appropriate type.
    3. In the
      SAN value
       field, type the SAN value.
      If the SAN type is set to "RFC822 name," the value must be a valid email address. If it is set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If it is set to "NT principal name," the value must be a valid principal name. If it is set to "DNS name," the value must be a valid FQDN.
  9. Specify the
    Renewal period
     for the certificate. The period can be between 1 and 120 days.
  10. Click
    Add
    .
  • If devices use client certificates to authenticate with a
    Wi-Fi
     network, VPN, or mail server, associate the user credential profile with a
    Wi-Fi
    , VPN, or email profile.
  • Assign the profile to user accounts and user groups.
    Android
     users are prompted to enter a password when they receive the profile (the password is displayed on the screen).