Skip Navigation

Create a user credential profile to use certificates from the native keystore

You can configure the user credential profile to use certificates from the native keystore in the following situations:
  • To allow
    BlackBerry Dynamics
    apps to use a certificate from the native keystore on
    Android
    devices
  • To allow
    BlackBerry Dynamics
    apps to use a certificate from the native keystore to access cryptographic tokens from PKI apps on
    iOS
    devices
  • To allow the
    BlackBerry Access
    app to use a certificate from the native keystore on
    macOS
    or
    Windows 10
    devices
You can allow the apps to use any certificate that had been added to the keystore or you can define restrictions on which certificate the app can choose. For example, if you are using an app-based PKI solution such as
Purebred
that adds certificates to the native keystore, you can force the app to select a certificate issued by your
Purebred
PKI solution and require that the app use certificates with specified capabilities.
"Native keystore" refers to the keystore on the device. All user credential profiles with Native keystore connectors should be assigned to the user before they start discovering certificates. If a certificate meets the requirements of more than one UCP the best match is chosen.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > User credential
    .
  3. Click The Add icon.
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the
    Certificate authority connection
    drop-down list, select
    Native keystore
    .
  6. In the
    Supported platforms
    section, select the device OS types that you want this profile to support.
  7. In the
    Certificate enrollment
    section, select
    Allow optional certificate enrollment
    if you want to allow users to dismiss certificate enrollment and complete it later.
    This is for
    Android
    devices only.
  8. To specify which certificate the
    BlackBerry Dynamics
    app will use, perform the following actions:
    1. Beside
      Issuers
      , click The Add icon and type the issuer name.
      BlackBerry Dynamics
      apps will only use a certificate if the specified issuer matches the
      OpenSSL
      short-form OID in the certificate. You can copy this value from the issuer's certificate. Do not put spaces before or after equal sign (=). For example:
      CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme,C=Can CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme CN=Acme_cert TLS
    2. In the
      Key usage
      section, select the operations that the certificate supports.
      BlackBerry Dynamics
      apps will only use certificates that have at least the specified key usage value set. For example, an encryption certificate may have a key usage value of
      Key encipherment
      . An authentication certificate may have a key usage value of
      Digital signature
      . A signing certificate may have a key usage value of both
      Digital signature
      and
      Nonrepudiation
      .
    3. In the
      Extended key usage
      section, select the functions that the certificate was issued for.
      BlackBerry Dynamics
      apps will only use certificates if all selected extended key usage values are present in the certificate. Certificates can have additional extended key usage values.
    4. If the certificate was issued for purposes other than email, client authentication, or smart card login, select
      Additional Object ID usage
      , click The Add icon and specify the OID for the key usage. For example, if the certificate will be used for server authentication, it may have the OID 1.3.6.1.5.5.7.3.1
  9. If you want the device to delete expired certificates, select
    Delete expired certificates
    .
    Expired encryption certificates used for S/MIME should be retained on the device to allow users to read messages that were encrypted before the certificate expired.
  10. If you want the device to delete duplicate certificates, select
    Remove duplicate certificates
    . The device deletes the certificate that has the earliest start date.
  11. Click
    Add
    .