Manualshelf

User guide

ManualsBrandsBlackberry ManualsOtherENTERPRISE SOLUTION SECURITY - ENFORCING ENCRYPTION OF INTERNAL AND EXTERNAL FILE SYSTEMS ON DEVICES
71727374757677787980
Enrolling certificates on a BlackBerry device over the
wireless network
12
You can configure the BlackBerry® Enterprise Server to permit a BlackBerry device to enroll certificates over the wireless network.
You can permit the BlackBerry device to enroll certificates over the wireless network so that you do not have to instruct the user
to send the certificates in an email message or to use the certificate synchronization tool in the BlackBerry® Desktop Manager.
You can enroll certificates from one of the following certification authorities:
RSA® certification authority
Microsoft® standalone certification authority
Microsoft enterprise certification authority
For more information about configuring the BlackBerry Enterprise Server to permit the BlackBerry device to enroll certificates
over the wireless network, see the BlackBerry Enterprise Server Administration Guide.
Process flow: Enrolling a certificate when the certification authority approves
certificate requests automatically
After a BlackBerry® device receives an IT policy that includes a certification authority profile, the enrollment process can start
automatically, or you can instruct a user to start it. This process flow assumes that the certification authority in your organization's
environment is a Microsoft® enterprise certification authority.
1. The CA Profile Manager on the BlackBerry device generates the key pair for the certificate.
2. The BlackBerry MDS Connection Service authenticates the user.
3. The BlackBerry device requests the user's distinguished name from the BlackBerry® Enterprise Server.
4. The BlackBerry Enterprise Server retrieves the user's distinguished name from the messaging server and sends the
distinguished name to the BlackBerry device.
5. The BlackBerry device encrypts the key pair, and stores the key pair, distinguished name, and profile ID for the certification
authority in the persistent store in flash memory.
6. The CA Profile Manager creates the PKCS #10 certificate request, and signs it with the private key.
7. The BlackBerry device sends the certificate request, profile ID for the certification authority, and Windows® login information
to the BlackBerry MDS Connection Service.
8. The BlackBerry MDS Connection Service performs one of the following actions:
sends the certificate chain to the BlackBerry Enterprise Server if the certificate chain is in the BlackBerry MDS
Connection Service cache
retrieves the certificate chain from the certification authority and sends it to the BlackBerry Enterprise Server if the
certificate chain is not in the BlackBerry MDS Connection Service cache
Security Technical Overview
Enrolling certificates on a BlackBerry device over the wireless network
75