Skip Navigation

Changing the certificates that
BlackBerry UEM
uses for authentication

When you install
BlackBerry UEM
on-premises, the setup application generates several self-signed certificates that are used to authenticate communication between various
UEM
components and with devices. You can change the certificates if your organization's security policy requires that certificates be signed by your organization's CA, or if you want to use certificates issued by a CA that devices and browsers already trust.
If problems occur when you change a certificate, communication between
UEM
components and between
UEM
and devices can be disrupted. If you choose to change any certificates, plan and test the change carefully.
You can change the following certificates:
Certificate
Description
Apple
profile signing certificate
This is the certificate that
UEM
uses to sign the MDM profile that users must accept when they activate
iOS
devices.
If you are using a certificate signed by a CA, verify that the root certificate for the CA is installed on users'
iOS
devices before activation.
SSL certificate for consoles
This is the SSL certificate that the management console and
UEM Self-Service
use to authenticate browsers.
If you configure high availability, the certificate must have the name of the
UEM
domain. You can find the domain name in the management console under Settings > Infrastructure > Instances.
SSL certificates for the
BlackBerry Web Services
This is the SSL certificate that the
BlackBerry Web Services
use to authenticate applications that use the
BlackBerry Web Services
APIs to manage
UEM
.
If you configure high availability, the certificate must have the name of the
UEM
domain. You can find the domain name in the management console under Settings > Infrastructure > Instances.
SSL certificate for
BlackBerry Dynamics
apps
This is the SSL certificate that the
BlackBerry Dynamics Launcher
uses to establish a secure communication channel with
UEM
.
BlackBerry Dynamics
apps that include the integrated
BlackBerry Dynamics Launcher
can present the certificate to
UEM
to authenticate with the server.
Certificate for application management
This is the SSL certificate that is used for authentication between
UEM
and
BlackBerry Dynamics
apps.
The root CA certificate is stored in the list of trusted CA certificates on the device. When the server authenticates with the device, the server presents this certificate to the device for validation. If you change this certificate and the change becomes effective before
UEM
pushes the certificate to all
BlackBerry Dynamics
apps, any apps that did not receive the certificate must be reactivated.
Certificate for
Direct Connect
This is the SSL certificate that is used for authentication between a
BlackBerry Proxy
server configured for
BlackBerry Dynamics
Direct Connect
and
BlackBerry Dynamics
apps on devices.
When you update this certificate, the new version will always be sent to devices over a non-
BlackBerry Dynamics
Direct Connect
connection. Any devices or containers that are not online at the time of the change will receive the update when they come back online. Updating this certificate should be done on the
UEM
server and any applicable networking appliances at the same time.
For more information on setting up
Direct Connect
, see Configuring Direct Connect with BlackBerry UEM.
Certificate for
BlackBerry Dynamics
servers
This is the SSL certificate that authenticates connections between
UEM
and
BlackBerry Proxy
.