Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
101102103104105106107108109110
Data flow: Enrolling a certificate when the
certification authority approves certificate
requests automatically
After a BlackBerry device receives an IT policy that includes a certification authority profile, the enrollment process can
start automatically, or you can instruct a user to start it. This process flow assumes that the certification authority in your
organization's environment is a Microsoft enterprise certification authority.
1. The CA Profile Manager on the device generates the key pair for the certificate.
2. The BlackBerry MDS Connection Service authenticates the user.
3. The device requests the user's distinguished name from the BlackBerry Enterprise Server.
4. The BlackBerry Enterprise Server retrieves the user's distinguished name from the messaging server and sends the
distinguished name to the device.
5. The device encrypts the key pair, and stores the key pair, distinguished name, and profile ID for the certification
authority in the persistent store in flash memory.
6. The CA Profile Manager creates the PKCS #10 certificate request, and signs it with the private key.
7. The device sends the certificate request, profile ID for the certification authority, and Windows login information to the
BlackBerry MDS Connection Service.
8. The BlackBerry MDS Connection Service performs one of the following actions:
sends the certificate chain to the BlackBerry Enterprise Server if the certificate chain is in the BlackBerry MDS
Connection Service cache
retrieves the certificate chain from the certification authority and sends it to the BlackBerry Enterprise Server if the
certificate chain is not in the BlackBerry MDS Connection Service cache
9. The BlackBerry Enterprise Server sends the certificate chain to the device.
10. The BlackBerry MDS Connection Service sends a status update to the device and sends the certificate request to the
certification authority that is associated with the profile ID.
11. The certification authority issues the certificate, publishes it to the LDAP server, and notifies the BlackBerry MDS
Connection Service that the certificate is available.
12. The BlackBerry MDS Connection Service performs the following actions:
a retrieves the certificate from the LDAP server that the certification authority publishes the certificate to
b sends the certificate to the BlackBerry Enterprise Server
13. The BlackBerry Enterprise Server performs the following actions:
Security Technical Overview Managing certificates on a device
107