Sending certificates to devices and apps using profiles
You can send certificates to devices and apps using the following profiles:
CA certificate profiles specify a CA certificate that devices and
BlackBerry Dynamicsapps can use to trust the identity associated with any client or server certificate that has been signed by that CA.
User credential profiles send certificates to devices in the following ways:
SCEP profiles specify how devices and
BlackBerry Dynamicsapps connect to, and obtain client certificates from, your organization's CA using a SCEP service.
Shared certificate profiles specify a client certificate that
UEMsends the same client certificate to every user that the profile is assigned to.
Androiddevices, you can also send a client certificate to a device by adding the certificate directly to a user account. For more information, see Add and manage a client certificate for a user account.
Androiddevices, if your organization uses certificates for S/MIME, you can also use profiles to allow devices to get recipient public keys and check certificate status. For more information, see Extending email security using S/MIME.
BlackBerry Dynamicsapps to use certificates sent by profiles, you must select "Allow
BlackBerry Dynamicsapps to use user certificates, SCEP profiles, and user credential profiles" for the specific app on the
Settings > BlackBerry Dynamicstab.
The type of profile that you choose depends on how your organization uses certificates and the types of devices that your organization supports. Consider the following guidelines:
- To use SCEP profiles, you must have a CA that supports SCEP.
- If you have set up a connection betweenUEMand your organization's PKI solution, use user credential profiles to send certificates to devices. You can connect directly to anEntrustCA orOpenTrustCA. You can also use aBlackBerry DynamicsPKI connector to connect to a CA server to enroll certificates forBlackBerry Dynamicsenabled devices.
- To use certificates withBlackBerry Dynamicsapps, you must use a user credential profile or add the certificates to individual user accounts.
- To allow users to upload certificates that they can use to connect to your workWi-Finetwork, work VPN, and work mail server, use a user credential profile.
- To use client certificates forWi-Fi, VPN, and mail server authentication, you must associate the certificate profile with aWi-Fi, VPN, or email profile.
- Android Enterprisedevices don't support using certificates sent to devices byUEMforWi-Fiauthentication.
- Shared certificate profiles and certificates that you add to user accounts do not keep the private key private because you must have access to the private key. Connecting to a CA using SCEP or user credential profiles is more secure because the private key is sent only to the device that the certificate was issued to.