Add and manage a client certificate for a user account Skip Navigation

Add and manage a client certificate for a user account

  1. In the management console, on the menu bar, click
    Users > Managed devices
    .
  2. Search for and click a user account.
  3. Do any of the following:
    Task
    Steps
    Add a client certificate to a user account
    You can add a client certificate to an individual user account and send the certificate to
    BlackBerry Dynamics
    enabled devices or other managed
    iOS
    and
    Android
    devices. Add client certificates to user accounts when users' devices need certificates for S/MIME or client authentication and the certificate can't be sent to devices via a user credential profile or SCEP profile. The client certificate must have a .pfx or .p12 file name extension. You can send more than one client certificate to devices. You can also use user credential profiles to upload certificates for individual users. User credential profiles can be associated with a
    Wi-Fi
    , VPN, or email profile.
    1. In the
      IT policy and profiles
      section, click The Add icon.
    2. Click
      User certificate
      .
    3. Type a description for the certificate.
    4. In the
      Apply certificate to
      section, select one of the following:
      1. Other managed devices
        : Choose this option to send the certificate to
        iOS
        and
        Android
        devices for all supported uses other than for
        BlackBerry Dynamics
        apps.
      2. BlackBerry Dynamics enabled devices
        : Choose this option to send the certificate to devices to use with
        BlackBerry Dynamics
        apps.
    5. In the
      Certificate file
      field, click
      Browse
      . Navigate to and select the certificate file.
    6. If you select
      Other managed devices
      , in the
      Password
      field, type a password for the certificate. For
      iOS
      devices, a password is required. For
      Android
      devices, you do not have to provide a password if the device is running the latest version of the
      UEM Client
      . If you don't set a password, the user must enter the device password.
    7. Click
      Add
    8. Configure the time to live for client certificates. The default time to live before the client certificates are removed is 24 hours.
      1. On the menu bar, click
        Settings > General settings > Certificates
        .
      2. Specify the time to live for PKCS#12 certificates on the server.
    Renew or remove a
    BlackBerry Dynamics
    certificate for a user account
    You can send a command to a user's device to request certificate renewal from the CA. You can also remove a
    BlackBerry Dynamics
    certificate from a user's device. If you remove a certificate, the
    BlackBerry Dynamics
    PKI connector sends a notification to the CA that the certificate is no longer in use, but the certificate is not automatically revoked.
    In the
    User certificates
    section, perform one of the following actions:
    1. Click The Renew icon to request certificate renewal from the CA.
    2. Click The Remove icon to remove the certificate from the user's devices.
    To remove an
    Entrust
    smart credential from a device, the user must also deactivate the smart credential in the
    BlackBerry UEM Client
    .
    Add a client certificate to a user credential profile in an on-premises environment
    You can upload certificates for individual users to a user credential profile. Users can also upload their certificate to the user credential profile using
    UEM Self-Service
    . Uploading certificates to user credential profiles is supported for
    iOS
    devices and for
    Android Enterprise
    devices.
    The client certificate must have a .pfx or .p12 file name extension. If you or a user uploads a new certificate to the user credential profile, it replaces the existing certificate on the users devices.
    Before you begin:
    1. In the
      IT policy and profiles
      section, beside the user credential profile, click
      Add a certificate
      .
    2. Click
      Browse
      . Navigate to and select the certificate.
    3. Type the password for the certificate. For
      iOS
      devices, the password is required. For
      Android
      devices, you do not have to provide the password in
      UEM
      if the device is running the latest version of the
      UEM Client
      . If you don't specify the password, the user must enter the device password.
    4. Click
      Add
      .
    Change a client certificate for a user credential profile in an on-premises environment
    The new certificate will replace the existing certificate on the device.
    1. In the
      IT policy and profiles
      section, beside the user credential profile, click
      Update
      .
    2. Click
      Browse
      to locate the certificate.
    3. Type the password for the certificate. For
      iOS
      devices, the password is required. For
      Android
      devices, you do not have to provide the password in
      UEM
      if the device is running the latest version of
      UEM Client
      . If you don't specify the password, the user must enter the device password.
    4. Click
      Save
      .