Skip Navigation

Create a user credential profile to connect to your organization's PKI software

User credential profiles that connect to your organization's PKI software can enroll certificates for
iOS
and
Android
devices. If the connection is to
Entrust
PKI software, the user credential profile can also enroll certificates for
BlackBerry Dynamics
apps.
BlackBerry UEM
doesn't support key history for certificates issued to
BlackBerry Dynamics
apps.
  • Configure a connection to your organization's
    Entrust
    or
    OpenTrust
    software.
  • Contact your organization’s
    Entrust
    or
    OpenTrust
    administrator to confirm which PKI profile you should select.
    BlackBerry UEM
    obtains a list of profiles from the PKI software.
  • Ask the
    Entrust
    or
    OpenTrust
    administrator for the profile values that you must provide. For example, the values for device type (devicetype),
    Entrust IdentityGuard
    group (iggroup), and
    Entrust IdentityGuard
    username (igusername).
  • If your organization’s
    OpenTrust
    system is configured to return Escrowed Keys only, the
    OpenTrust
    administrator must verify that certificates are present for each user in the
    OpenTrust
    system. Assigning a user credential profile to users in
    BlackBerry UEM
    does not automatically create certificates for users in
    OpenTrust
    . In this scenario, a user credential profile can only distribute certificates to users who have an existing certificate in the
    OpenTrust
    system.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Certificates > User credential
    .
  3. Click The Add icon.
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the
    Certificate authority connection
    drop-down list, select the
    Entrust
    or
    OpenTrust
    connection that you configured.
  6. In the
    Profile
    drop-down list, click the appropriate profile.
  7. Specify the values for the profile.
  8. If necessary, you can specify a SAN type and value for an
    Entrust
    client certificate.
    1. In the SAN table, click The Add icon.
    2. In the
      SAN type
      drop-down list, click the appropriate type.
    3. In the
      SAN value
      field, type the SAN value.
      If the SAN type is set to "RFC822 name," the value must be a valid email address. If it is set to "URI," the value must be a valid URL that includes the protocol and FQDN or IP address. If it is set to "NT principal name," the value must be a valid principal name. If it is set to "DNS name," the value must be a valid FQDN.
  9. Specify the
    Renewal period
    for the certificate. The period can be between 1 and 120 days.
  10. Click
    Add
    .
  • If devices use client certificates to authenticate with a
    Wi-Fi
    network, VPN, or mail server, associate the user credential profile with a
    Wi-Fi
    , VPN, or email profile.
  • Assign the profile to user accounts and user groups.
    Android
    users are prompted to enter a password when they receive the profile (the password is displayed on the screen).