Certificates
About certificates
A certificate is a digital document that binds the identity and public key of a certificate subject. If your email account uses a
BlackBerry® Enterprise Server that supports this feature, you can download certificates over the wireless network from a
certificate authority profile that is provided by your administrator. The certificate authority signs the certificate to verify that it
can be trusted.
Depending on your organization, enrollment for a certificate might be required and might also occur automatically.
Certificate basics
Download a certificate from an LDAP-enabled server or DSML-enabled server
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the
key > Fetch Certificates.
4. Specify the search criteria.
5. Press the
key > Search.
6. Click a certificate.
User Guide
Security
258
7. Click Add Certificate to Key Store.
About certificate enrollment
If your email account uses a BlackBerry® Enterprise Server that supports this feature, you can download certificates over the
wireless network from a certificate authority profile provided by your administrator. Depending on your organization,
enrollment for a certificate might be required and might also occur automatically.
When you enroll with a certificate authority profile, the latest certificate is downloaded to your BlackBerry device and added to
your certificate list. The certificate authority profile shows the status of the certificate. If the certificate is scheduled to expire
soon you can re-enroll with the certificate authority profile to receive an updated certificate.
Download a certificate from a certificate authority
To perform this task, your work email account must use a BlackBerry® Enterprise Server that supports this feature. For more
information, contact your administrator.
If your administrator has provided you with a certificate authority profile, you can enroll with the profile to download a
certificate to your BlackBerry device. If the certificate is scheduled to expire soon, you can re-enroll to receive an updated
certificate.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificate Enrollment > Enroll or Re-enroll.
3. If necessary, type the credentials that you use to connect to your organization's network.
To hide the screen for the certificate authority profile while the request is being processed, press the
key > Hide. To
return to this screen, on the Home screen, click the Certificate Authority Profile icon.
Import a certificate or PGP key that is saved on your device
1. On the Home screen or in a folder, click the Media icon or Files icon.
2. Find and highlight a certificate or PGP® key.
3. Press the
key > Import Certificate or Import PGP Key.
To view the certificate or PGP key, press the
key > Display Certificate or Display PGP Key.
Import a certificate or PGP key from a media card
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates or PGP.
3. Press the
key > Show Media Card Certificates or Show Media Card PGP Keys.
To view the certificate or PGP® key, press the
key > Display Certificate or Display PGP Key.
User Guide
Security
259
View properties for a certificate
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Click a certificate.
Certificate properties
Property
Description
Revocation Status
This field displays the revocation status of the certificate at a
specified date and time.
Trust Status
This field displays the trust status of the certificate chain. A
certificate can be explicitly trusted (the certificate itself is
trusted), implicitly trusted (the root certificate in the
certificate chain is trusted on your BlackBerry® device), or not
trusted (the certificate is not explicitly trusted and the root
certificate in the certificate chain is not trusted or does not
exist on your device).
Expiration Date
This field displays the expiration date of the certificate, as
specified by the certificate issuer.
Certificate Type
This field displays the certificate format. Your device supports
X.509 and WTLS certificate formats.
Public Key Type
This field displays the standard to which the public key
complies. Your device supports RSA®, DSA, Diffie-Hellman, and
ECC keys.
Subject
This field displays information about the certificate subject.
Issuer
This field displays information about the certificate issuer.
Serial Number
This field displays the certificate serial number in hexadecimal
format.
Key Usage
This field displays approved uses of the public key.
Subject Alt Name
This field displays an alternate email address for the certificate
subject, if an alternate email address is available.
SHA1 Thumbprint
This field displays the SHA-1 digital thumbprint of the
certificate.
MD5 Thumbprint
This field displays the MD5 digital thumbprint of the
certificate.
User Guide
Security
260
View one type of certificate in the certificate list
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the
key.
4. Click one of the following menu items:
• Show My Certificates
• Show Others Certificates
• Show CA Certificates
• Show Root Certificates
To view all the certificates on your BlackBerry® device, press the
key > Show All Certificates.
Send a certificate
When you send a certificate, your BlackBerry® device sends the public key, but does not send the corresponding private key.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Send via Email or Send via PIN.
Delete a certificate
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Delete.
View the certificate chain for a certificate
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Show Chain.
Certificate status
Status indicators for certificates and certificate authority profiles
Status indicators for certificates
User Guide
Security
261
Indicator
Description
The certificate has a corresponding private key that is stored on your BlackBerry® device or a smart
card.
The certificate chain is trusted and valid, and the revocation status of the certificate chain is good.
The revocation status of the certificate chain is unknown, or a public key for a certificate in the
certificate chain is weak.
The certificate is untrusted or revoked, or a certificate in the certificate chain is untrusted, revoked,
expired, not valid, or cannot be verified.
Status indicators for certificate authority profiles
Indicator
Description
A valid certificate is associated with the certificate authority profile.
A new certificate is being retrieved because the current certificate is scheduled to expire soon.
The enrollment request is pending approval from the certificate authority.
Enrollment with the certificate authority profile is pending because an action from the user is
required to continue, or because enrollment is scheduled to occur later.
Enrollment with the certificate authority profile is required and will occur automatically.
Check the revocation status of a certificate or certificate chain
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Fetch Status or Fetch Chain Status.
Change the trust status of a certificate
Depending on the types of certificates that your administrator allows, you might not be able to trust some types of certificates.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Trust or Distrust.
5. If you are trusting a certificate, do one of the following:
• To trust the highlighted certificate, click Selected Certificate.
• To trust the highlighted certificate and all the other certificates in the chain, click Entire Chain.
User Guide
Security
262
Revoke a certificate
If you revoke a certificate, the certificate is revoked only in the key store on your BlackBerry® device. Your device does not
update the revocation status on the certificate authority or CRL servers.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Revoke > Yes.
5. Change the Reason field.
6. Click OK.
To cancel a certificate hold, highlight the certificate. Press the
key > Cancel Hold.
Certificate revocation reasons
Reason
Description
Unknown
The revocation reason does not match any of the predefined reasons.
Key Compromise
A person who is not the key subject might have discovered the private key value.
CA Compromise
Someone might have revealed the private key of the certificate issuer.
Change in Affiliation
The certificate subject no longer works for the organization.
Superseded
A new certificate is replacing an existing certificate.
Cessation of Operation
The certificate subject no longer requires the certificate.
Certificate Hold
You want to revoke the certificate temporarily.
Certificate options
Change the display name for a certificate
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the
key > Change Label.
5. Type a display name for the certificate.
6. Click OK.
Add an email address to a certificate
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
User Guide
Security
263
3. Highlight a certificate.
4. Press the
key > Associate Addresses.
5. Press the
key > Add Address.
6. Do one of the following:
• Click a contact.
• Click Use Once. Type an email address. Press the key on the keyboard.
7. Press the
key > Save.
Turn off the display name prompt that appears when you add a certificate to the key store
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the
key > Fetch Certificates.
4. Press the
key > Options.
5. Change the Prompt for Label field to No.
6. Press the
key > Save.
When you add a certificate, your BlackBerry® device uses the certificate subject as the name for the certificate.
Turn off the fetch status prompt that appears when you add a certificate to the key store
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the
key > Fetch Certificates.
4. Press the
key > Options.
• To download the revocation status of a certificate when you add it to the key store, change the Fetch Status field to
Yes.
• To add a certificate to the key store without downloading the revocation status, change the Fetch Status field to No.
5. Press the
key > Save.
Change how often a certificate authority profile checks certificate status
Depending on your organization, you might be able to change how often a certificate authority profile checks the status of its
certificate. If the certificate is scheduled to expire soon you can re-enroll with the certificate authority profile to receive an
updated certificate.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Change the Certificate Status Check Interval field.
4. Press the
key > Save.
User Guide
Security
264
Certificate shortcuts
View the label and issuer of a certificate
Press the Space key.
View the properties of a certificate
Press the key.
View the security level of a personal certificate
Press the Alt key and L.
View the serial number of a certificate
Press the Alt key and S.
View certificates for certificate authorities
Press the Alt key and C
View personal certificates and certificates for other people
Press the Alt key and E.
View personal certificates
Press the Alt key and P.
View certificates for other people
Press the Alt key and O.
View root certificates
Press the Alt key and R.
View all certificates
Press the Alt key and A.