Configuring BlackBerry devices
to enroll certificates over the
wireless network
You can configure the BlackBerry Enterprise Server to permit BlackBerry devices to enroll certificates that the devices can
use with any PKI-enabled application or process. You can permit devices to enroll the certificates instead of instructing
users to send the certificates to themselves in an email message or use the certificate synchronization tool in the
BlackBerry Desktop Software. When you configure the BlackBerry Enterprise Server to permit devices to enroll certificates,
you can control how users request certificates and which certification authority issues the certificates.
For example, you might want Wi-Fi enabled BlackBerry devices to enroll certificates so that they can authenticate to an
enterprise Wi-Fi network.
You can enroll certificates from one of the following certification authorities:
• RSA certification authority
• Microsoft standalone certification authority
• Microsoft enterprise certification authority
During the enrollment process, the BlackBerry MDS Connection Service can verify the certificate if the certificate includes
an email address in the subject DN. The BlackBerry MDS Connection Service verifies the certificate by checking if the
email address in the subject DN of the certificate matches the email address that is assigned to the device. For more
information about the enrollment process, see the
BlackBerry Enterprise Solution Security Technical Overview
.
You can make the certificate enrollment process required so that devices automatically start the certificate enrollment
process after the devices receive the updated IT policy from the BlackBerry Enterprise Server. If you do not make the
certificate enrollment process required, you must instruct users to start the CA Profile Manager on the devices manually.
Configure the certificate information using
IT policies
You must configure the certificate information that BlackBerry devices can use to create certificate requests so that the
certificate enrollment process can occur.
16
Administration Guide
Configuring BlackBerry devices to enroll certificates over the wireless network
217