Create a SCEP profile Skip Navigation

Create a SCEP profile

The required profile settings depend on the SCEP service configuration in your organization's environment and vary depending on whether the certificate is used by a
BlackBerry Dynamics
app or by a specified device type.
You can use a variable in any text field to reference a value instead of specifying the actual value.
If you want to use a SCEP profile to distribute
OpenTrust
client certificates to devices, you must apply a hotfix to your
OpenTrust
software. For more information, contact your
OpenTrust
support representative and reference support case SUPPORT-798.
  1. On the menu bar, click
    Policies and profiles > Certificates > SCEP
    .
  2. Click The Add icon.
  3. Type a name and description for the profile.
  4. In the
    Certificate authority connection
    drop-down list, perform one of the following actions:
    • To use an
      Entrust
      connection that you configured, click the appropriate connection. In the
      Profile
      drop-down list, click a profile. Specify the values for the profile.
    • To use an
      OpenTrust
      connection that you configured, click the appropriate connection. In the
      Profile
      drop-down list, click a profile. Specify the values for the profile. Note that the following settings in the SCEP profile do not apply to
      OpenTrust
      client certificates: Key usage, Extended key usage, Subject, and SAN.
    • To use another CA, click
      Generic
      . In the
      SCEP challenge type
      drop-down list, select
      Static
      or
      Dynamic
      and specify the required settings for the challenge type.
      For
      Windows
      devices, only static passwords are supported.
  5. In the
    URL
    field, type the URL for the SCEP service. The URL should include the protocol, FQDN, port number, and SCEP path.
  6. In the
    Instance name
    field, type the instance name for the CA.
  7. Optionally, clear the check box for any device type that you do not want to configure the profile for.
  8. Perform the following actions:
    1. Click the tab for a device type.
    2. Configure the appropriate values for each profile setting to match the SCEP service configuration in your organization's environment. See the following:
  9. Repeat step 8 for each device type in your organization.
  10. Click
    Add
    .
If devices use the client certificate to authenticate with a work
Wi-Fi
network, work VPN, or work mail server, associate the SCEP profile with a
Wi-Fi
, VPN, or email profile.