Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.16
  3. Administration
  4. Securing connections using PKI
  5. Sending certificates to devices and apps using profiles
  6. Sending client certificates to devices and apps using SCEP
  7. Create a SCEP profile

Create a SCEP profile

The required profile settings depend on the SCEP service configuration in your organization's environment and vary depending on whether the certificate is used by a
BlackBerry Dynamics
 app or by a specified device type.
You can use a variable in any text field to reference a value instead of specifying the actual value.
If you want to use a SCEP profile to distribute
OpenTrust
 client certificates to devices, you must apply a hotfix to your
OpenTrust
 software. For more information, contact your
OpenTrust
 support representative and reference support case SUPPORT-798.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > SCEP
    .
  3. Click The Add icon.
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the
    Certificate authority connection
     drop-down list, perform one of the following actions:
    • To use an
      Entrust
       connection that you configured, click the appropriate connection. In the
      Profile
       drop-down list, click a profile. Specify the values for the profile.
    • To use an
      OpenTrust
       connection that you configured, click the appropriate connection. In the
      Profile
       drop-down list, click a profile. Specify the values for the profile. Note that the following settings in the SCEP profile do not apply to
      OpenTrust
       client certificates: Key usage, Extended key usage, Subject, and SAN.
    • To use another CA, click
      Generic
      . In the
      SCEP challenge type
       drop-down list, select
      Static
       or
      Dynamic
       and specify the required settings for the challenge type.
      For
      Windows
       devices, only static passwords are supported.
  6. In the
    URL
     field, type the URL for the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path.
  7. In the
    Instance name
     field, type the instance name for the CA.
  8. Optionally, clear the check box for any device type that you do not want to configure the profile for.
  9. Perform the following actions:
    1. Click the tab for a device type.
    2. Configure the appropriate values for each profile setting to match the SCEP service configuration in your organization's environment.
  10. Repeat step 8 for each device type in your organization.
  11. Click
    Add
    .
If devices use the client certificate to authenticate with a work
Wi-Fi
 network, work VPN, or work mail server, associate the SCEP profile with a
Wi-Fi
, VPN, or email profile.