Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.17
  3. Administration
  4. Email, calendar, and contacts
  5. Extending email security using S/MIME
  6. Retrieving S/MIME certificates
  7. Create a certificate retrieval profile

Create a certificate retrieval profile

  • To allow devices to trust LDAP certificate servers when they make secure connections, you might need to distribute CA certificates to devices. If necessary, create CA certificate profiles and assign them to user accounts, user groups, or device groups. For more information about CA certificates, see Sending CA certificates to devices and apps.
  • If you implement
    Kerberos
     authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about single sign-on profiles, see Setting up single sign-on authentication for devices.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > Certificate retrieval
    .
  3. Click The Add icon.
  4. Type a name and description for the certificate retrieval profile.
  5. In the table, click The Add icon.
  6. In the
    Service URL
     field, type the FQDN of an LDAP certificate server using the format ldap://
    <fqdn>
    :
    <port>
    . (For example, ldap://server01.example.com:389).
  7. In the
    Search base
     field, type the base DN that is the starting point for LDAP certificate server searches.
  8. In the
    Search scope
     drop-down list, perform one of the following actions:
    • To search the base object only (base DN), click
      Base
      . This option is the default value.
    • To search one level below the base object, but not the base object itself, click
      One level
      .
    • To search the base object and all levels below it, click
      Subtree
      .
    • To search all levels below the base object, but not the base object itself, click
      Children
      .
  9. If authentication is required, perform the following actions:
    1. In the
      Authentication type
       drop-down list, click
      Simple
       or
      Kerberos
      .
    2. In the
      LDAP user ID
       field, type the DN of an account that has search permissions on the LDAP certificate server (for example, cn=admin,dc=example,dc=com).
    3. In the
      LDAP password
       field, type the password for the account that has search permissions on the LDAP certificate server.
  10. If necessary, select the
    Use secure connection
     check box.
  11. In the
    Connection timeout
     field, type the amount of time, in seconds, that the device waits for the LDAP certificate server to respond.
  12. Click
    Add
    .
  13. Repeat steps 5 to 11 for each LDAP certificate server.
  14. Click
    Add
    .
If necessary, rank profiles.