Skip Navigation

Using PKI certificates with devices or apps

A PKI certificate is a digital document issued by a Certificate Authority (CA) that verifies the identity of a certificate subject and binds the identity to a public key. Each certificate has a corresponding private key that is stored securely and separately. The public key and private key form an asymmetric key pair that can be used for data encryption and identity authentication. A CA signs the certificate to verify that entities that trust the CA can also trust the certificate. The CA can later revoke trust of the certificate, in case of a breach.
Depending on the device capabilities and activation type, devices and apps can use certificates to:
  • Authenticate using SSL/TLS when connecting to web servers that support mutual TLS, including a work mail server.
  • Authenticate with a work
    network or VPN.
  • Encrypt and sign email messages using S/MIME protection.
Multiple certificates used for different purposes can be stored on a device.
BlackBerry UEM
provides a number of profiles to help manage the PKI certificates on the device. For example,
  • CA server trust can be assigned to devices and apps using a CA certificate profile.
  • Automatic enrollment of certificates can be assigned to devices and apps using SCEP and user credential profiles.
  • Retrieval of public encryption certificates can be assigned to devices and apps using the certificate retrieval profile.
  • Checking the certificate revocation status can be assigned to devices and apps using OCSP and CRL profiles.
When you use PKI certificates with devices or apps, you perform the following actions:
Step 1
Step 2
Step 3
Create SCEP, user credential, or shared certificate profiles or upload certificates for a specific user to send client certificates to devices and apps.
Step 4
If necessary, associate certificate profiles with Wi-Fi, VPN, or email profiles.
Step 5
If necessary, assign certificate profiles to user accounts, user groups, or device groups.
Step 6
If using certificates with a
BlackBerry Dynamics
app, in the app settings, select "Allow BlackBerry Dynamics apps to use user certificates, SCEP profiles, and user credential profiles".