Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.21
  3. Managing secure connections
  4. Using PKI certificates with devices or apps
  5. Sending certificates to devices and apps using profiles
  6. Send client certificates to devices using ACME

Send client certificates to devices using ACME

Automated Certificate Management Environment (ACME) solutions allow organizations to automate lifecycle management operations between a Certificate Authority and devices, including the issuance, renewal, and revocation of client certificates. If your organization uses an ACME solution, you can create and assign ACME profiles to enable iOS devices that are activated on
UEM
 to communicate with the ACME server to obtain and manage the use of client certificates. Note that
BlackBerry Dynamics
 apps do not currently support the use of ACME to obtain and manage client certificates.
ACME profiles are currently available in
UEM Cloud
 only. They will be made available in
UEM
 on-premises in an upcoming release.
  1. In the management console, on the menu bar, click
    Policies and profiles > Certificates > ACME
    .
  2. Click The Add icon..
  3. Type a name and description for the profile.
  4. In the
    Directory URL
     field, type the URL of the ACME server.
    Include the protocol, FQDN, port, and directory path defined in the ACME specification. For example: https://acme.cbbcps.com/directory
  5. In the
    Subject
     field, type the subject name for certificate requests.
    The value must be a distinguished name, for example, /C=CA/O=BlackBerry Limited/CN=user01or C=CA,O=BlackBerry Limited,CN=user01. You can use the %UserDistinguishedName% variable.
  6. If you want to specify a subject alternative name for certificate requests, in the
    SAN type
     drop-down list, select the appropriate SAN type and do the following:
    1. In the
      SAN Value
       field, specify the appropriate value. For RFC822, specify a valid email address (you can use the %UserEmailAddress% variable). For DNS name, specify the FQDN. For URI, specify the IP address or URL including the protocol and FQDN.
    2. In the
      NT principal name
       field, specify the principal name for certificate requests. You can use the %UserPrincipalName% variable.
  7. In the
    Key algorithm
     drop-down list, select the appropriate algorithm that devices will use to generate the client key pair.
  8. In the
    RSA strength
     drop-down list, select the appropriate key size that will be used to generate the client key pair.
  9. If you do not want to export the private key from the keychain, clear the
    Extractable key
     check box.
  10. If you want all apps on a device to access the private key, select the
    Access private key
     check box.
  11. In the
    Key usage
     section, select the cryptographic operations that you want the public key in the certificate to be used for.
  12. If you want to extend the use of the public key for other operations, in the
    Extended key usage
     section, click The Add icon. and specify the object identifier (OID) for the operation. Repeat as necessary.
  13. Click
    Save
    .
  • Assign the profile to users and groups as necessary.
  • If devices use the client certificate to authenticate with a work
    Wi-Fi
     network, work VPN, or work mail server, associate the ACME profile with a
    Wi-Fi
    , VPN, or email profile.
  • If you create more than one ACME profile, rank the profiles.