Create a user credential profile to use app-based certificates on iOS devices
- On the menu bar, clickPolicies and Profiles.
- ClickCertificates > User credential.
- Click .
- Type a name and description for the profile. Each certificate profile must have a unique name.
- In theCertificate authority connectiondrop-down list, select the name of the app you specified when you connectedBlackBerry UEMto your PKI solution. If you are usingPurebred, select theBlackBerry UEM Client
- To specify which certificate theBlackBerry Dynamicsapp will use, perform the following actions:
- In theKey usagesection, select the operations that the certificate supports.BlackBerry Dynamicsapps will only use certificates that have at least the specified key usage value set. For example, an encryption certificate may have a key usage value ofKey encipherment. An authentication certificate may have a key usage value ofDigital signature. A signing certificate may have a key usage value of bothDigital signatureandNonrepudiation.
- In theExtended key usagesection, select the functions that the certificate was issued for.BlackBerry Dynamicsapps will only use certificates if all selected extended key usage values are present in the certificate. Certificates can have additional extended key usage values.
- If the certificate was issued for purposes other than email, client authentication, or smart card login, selectAdditional Object ID usage, click and specify the OID for the key usage. For example, if the certificate will be used for server authentication, it may have the OID 22.214.171.124.126.96.36.199.1
- BesideIssuers, click and type the issuer name.BlackBerry Dynamicsapps will only use a certificate if the specified issuer matches theOpenSSLshort-form OID in the certificate. You can copy this value from the issuer's certificate. Do not put spaces before or after the equal sign (=). For example:CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme,C=Can CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme CN=Acme_cert TLS
- If you want the device to delete expired certificates, selectDelete expired certificates.Expired encryption certificates used for S/MIME should be retained on the device to allow users to read messages that were encrypted before the certificate expired.
- If you want the device to delete duplicate certificates, selectRemove duplicate certificates. The device deletes the certificate that has the earliest start date.
- Assign the profile to user accounts and user groups.