Configure certificate-based console authentication Skip Navigation

Configure certificate-based console authentication

In an on-premises
BlackBerry UEM
environment, you can set up certificate-based authentication so that administrators can log in using an authentication certificate.
UEM
verifies certificates against the issuer, verifies that the certificate is valid using the certificate OCSP or CRL settings, and verifies that the certificate matches a user in the
UEM
database. This feature is not supported for
UEM Cloud
.
Get copies of the CA certificates that distribute your administrators' and users' client certificates in .cer or .der format.
  1. In the management console, on the menu bar, click
    Settings > General settings > Certificate-based console authentication
    .
  2. Select the
    Enable certificate-based authentication
    check box.
  3. Click
    Browse
    and navigate to the CA certificate files.
    UEM
    trusts all certificates issued by that CA. Repeat this step to upload additional certificates.
  4. To require
    UEM
    to verify that the user principal name in the certificate matches a user in the
    UEM
    database, select the
    Check for user principal name for SAN
    check box.
    If the user principal name in the certificate matches a known user,
    UEM
    grants access according to the user's permissions.
  5. To require
    UEM
    to verify that the user email address in the certificate matches a user email address in the
    UEM
    database, select the
    Check for email address
    check box.
    If the user email address in the certificate matches a known user,
    UEM
    grants access according to the user's permissions. If you select both
    Check for user principal name for SAN
    and
    Check for email address
    ,
    UEM
    checks the principal name before the email address and grants access if the principal name matches. If neither check finds a match between the certificate and a known user,
    UEM
    denies access.
  6. Click
    Save
    .
If users access
UEM
using
Mozilla Firefox
, the user must add their client certificate to the
Firefox
certificate store to authenticate with
UEM
using certificate-based authentication.