Create a user credential profile to use certificates from the native keystore
You can configure the user credential profile to use certificates from the native keystore in the following situations:
- To allowBlackBerry Dynamicsapps to use a certificate from the native keystore onAndroiddevices.
- To allowBlackBerry Dynamicsapps to use a certificate from the native keystore to access cryptographic tokens from PKI apps oniOSdevices.
- To allow theBlackBerry Accessapp to use a certificate from the native keystore onmacOSorWindows 10devices.
Purebred
that adds certificates to the native keystore, you can force the app to select a certificate issued by your Purebred
PKI solution and require that the app use certificates with specified capabilities.
"Native keystore" refers to the keystore on the device. All user credential profiles with Native keystore connectors should be assigned to the user before they start discovering certificates. If a certificate meets the requirements of more than one UCP the best match is chosen.
- On the menu bar, clickPolicies and profiles > Certificates > User credential.
- Click
. - Type a name and description for the profile. Each certificate profile must have a unique name.
- In theCertificate authority connectiondrop-down list, selectNative keystore.
- In theSupported platformssection, select the device OS types that you want this profile to support.
- In theCertificate enrollmentsection, select theAllow optional certificate enrollmentcheck box if you want to allowAndroidusers to dismiss certificate enrollment and complete it later.
- To specify which certificate theBlackBerry Dynamicsapp will use, perform the following actions:
- BesideIssuers, click and type the issuer name.BlackBerry Dynamicsapps will only use a certificate if the specified issuer matches theOpenSSLshort-form OID in the certificate. You can copy this value from the issuer's certificate. Do not put spaces before or after equal sign (=). For example:CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme,C=Can CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme CN=Acme_cert TLS
- In theKey usagesection, select the operations that the certificate supports.BlackBerry Dynamicsapps will only use certificates that have at least the specified key usage value set. For example, an encryption certificate may have a key usage value ofKey encipherment. An authentication certificate may have a key usage value ofDigital signature. A signing certificate may have a key usage value of bothDigital signatureandNonrepudiation.
- In theExtended key usagesection, select the functions that the certificate was issued for.BlackBerry Dynamicsapps will only use certificates if all selected extended key usage values are present in the certificate. Certificates can have additional extended key usage values.
- If the certificate was issued for purposes other than email, client authentication, or smart card login, selectAdditional Object ID usage, click and specify the OID for the key usage. For example, if the certificate will be used for server authentication, it may have the OID 1.3.6.1.5.5.7.3.1
- If you want the device to delete expired certificates, selectDelete expired certificates.
- If you want the device to delete duplicate certificates, select theRemove duplicate certificatecheck box.
- ClickAdd.
- To allowBlackBerry Dynamicsapps to use certificates, on the menu bar, clickApps. Click theBlackBerry Dynamicsapp that you want to change, then on theSettings > BlackBerry Dynamicstab, select theAllow BlackBerry Dynamics apps to use user certificates SCEP profiles, and user credential profilescheckbox.
- Assign the profile to user accounts and user groups.