Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.20
  3. Managing secure connections
  4. Using PKI certificates with devices or apps
  5. Managing client certificates for user accounts
  6. Add and manage a client certificate for a user account

Add and manage a client certificate for a user account

  1. In the management console, on the menu bar, click
    Users > Managed devices
    .
  2. Search for and click a user account.
  3. Do any of the following:
    Task
    Steps
    Add a client certificate to a user account
    You can add a client certificate to an individual user account and send the certificate to
    BlackBerry Dynamics
     enabled devices or other managed
    iOS
     and
    Android
     devices. Add client certificates to user accounts when users' devices need certificates for S/MIME or client authentication and the certificate can't be sent to devices via a user credential profile or SCEP profile. The client certificate must have a .pfx or .p12 file name extension. You can send more than one client certificate to devices. You can also use user credential profiles to upload certificates for individual users. User credential profiles can be associated with a
    Wi-Fi
    , VPN, or email profile.
    1. In the
      IT policy and profiles
       section, click The Add icon.
    2. Click
      User certificate
      .
    3. Type a description for the certificate.
    4. In the
      Apply certificate to
       section, select one of the following:
      1. Other managed devices
        : Choose this option to send the certificate to
        iOS
         and
        Android
         devices for all supported uses other than for
        BlackBerry Dynamics
         apps.
      2. BlackBerry Dynamics enabled devices
        : Choose this option to send the certificate to devices to use with
        BlackBerry Dynamics
         apps.
    5. In the
      Certificate file
       field, click
      Browse
      . Navigate to and select the certificate file.
    6. If you select
      Other managed devices
      , in the
      Password
       field, type a password for the certificate. For
      iOS
       devices, a password is required. For
      Android
       devices, you do not have to provide a password if the device is running the latest version of the
      UEM Client
      . If you don't set a password, the user must enter the device password.
    7. Click
      Add
    8. Configure the time to live for client certificates. The default time to live before the client certificates are removed is 24 hours.
      1. On the menu bar, click
        Settings > General settings > Certificates
        .
      2. Specify the time to live for PKCS#12 certificates on the server.
    Renew or remove a
    BlackBerry Dynamics
     certificate for a user account
    You can send a command to a user's device to request certificate renewal from the CA. You can also remove a
    BlackBerry Dynamics
     certificate from a user's device. If you remove a certificate, the
    BlackBerry Dynamics
     PKI connector sends a notification to the CA that the certificate is no longer in use, but the certificate is not automatically revoked.
    In the
    User certificates
     section, perform one of the following actions:
    1. Click The Renew icon to request certificate renewal from the CA.
    2. Click The Remove icon to remove the certificate from the user's devices.
    To remove an
    Entrust
     smart credential from a device, the user must also deactivate the smart credential in the
    BlackBerry UEM Client
    .
    Add a client certificate to a user credential profile
    You can upload certificates for individual users to a user credential profile. Users can also upload their certificate to the user credential profile using
    UEM Self-Service
    . Uploading certificates to user credential profiles is supported for
    iOS
     devices and for
    Android Enterprise
     devices.
    The client certificate must have a .pfx or .p12 file name extension. If you or a user uploads a new certificate to the user credential profile, it replaces the existing certificate on the users devices.
    Before you begin:
    1. In the
      IT policy and profiles
       section, beside the user credential profile, click
      Add a certificate
      .
    2. Click
      Browse
      . Navigate to and select the certificate.
    3. Type the password for the certificate. For
      iOS
       devices, the password is required. For
      Android
       devices, you do not have to provide the password in
      UEM
       if the device is running the latest version of the
      UEM Client
      . If you don't specify the password, the user must enter the device password.
    4. Click
      Add
      .
    Change a client certificate for a user credential profile
    The new certificate will replace the existing certificate on the device.
    1. In the
      IT policy and profiles
       section, beside the user credential profile, click
      Update
      .
    2. Click
      Browse
       to locate the certificate.
    3. Type the password for the certificate. For
      iOS
       devices, the password is required. For
      Android
       devices, you do not have to provide the password in
      UEM
       if the device is running the latest version of
      UEM Client
      . If you don't specify the password, the user must enter the device password.
    4. Click
      Save
      .