BlackBerry Bold 9650 - Certificates

background image

Certificates

About certificates

A certificate is a digital document that binds the identity and public key of a certificate subject. If your email account uses a

BlackBerry® Enterprise Server that supports this feature, you can download certificates over the wireless network from a

certificate authority profile that is provided by your administrator. The certificate authority signs the certificate to verify that it

can be trusted.
Depending on your organization, enrollment for a certificate might be required and might also occur automatically.

Certificate basics

Download a certificate from an LDAP-enabled server or DSML-enabled server

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the

key > Fetch Certificates.

4. Specify the search criteria.
5. Press the

key > Search.

6. Click a certificate.

User Guide

Security

258

background image

7. Click Add Certificate to Key Store.

About certificate enrollment

If your email account uses a BlackBerry® Enterprise Server that supports this feature, you can download certificates over the

wireless network from a certificate authority profile provided by your administrator. Depending on your organization,

enrollment for a certificate might be required and might also occur automatically.
When you enroll with a certificate authority profile, the latest certificate is downloaded to your BlackBerry device and added to

your certificate list. The certificate authority profile shows the status of the certificate. If the certificate is scheduled to expire

soon you can re-enroll with the certificate authority profile to receive an updated certificate.

Download a certificate from a certificate authority

To perform this task, your work email account must use a BlackBerry® Enterprise Server that supports this feature. For more

information, contact your administrator.
If your administrator has provided you with a certificate authority profile, you can enroll with the profile to download a
certificate to your BlackBerry device. If the certificate is scheduled to expire soon, you can re-enroll to receive an updated
certificate.

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificate Enrollment > Enroll or Re-enroll.
3. If necessary, type the credentials that you use to connect to your organization's network.

To hide the screen for the certificate authority profile while the request is being processed, press the

key > Hide. To

return to this screen, on the Home screen, click the Certificate Authority Profile icon.

Import a certificate or PGP key that is saved on your device

1. On the Home screen or in a folder, click the Media icon or Files icon.
2. Find and highlight a certificate or PGP® key.
3. Press the

key > Import Certificate or Import PGP Key.

To view the certificate or PGP key, press the

key > Display Certificate or Display PGP Key.

Import a certificate or PGP key from a media card

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates or PGP.
3. Press the

key > Show Media Card Certificates or Show Media Card PGP Keys.

To view the certificate or PGP® key, press the

key > Display Certificate or Display PGP Key.

User Guide

Security

259

background image

View properties for a certificate

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Click a certificate.

Certificate properties

Property

Description

Revocation Status

This field displays the revocation status of the certificate at a
specified date and time.

Trust Status

This field displays the trust status of the certificate chain. A
certificate can be explicitly trusted (the certificate itself is
trusted), implicitly trusted (the root certificate in the
certificate chain is trusted on your BlackBerry® device), or not
trusted (the certificate is not explicitly trusted and the root
certificate in the certificate chain is not trusted or does not
exist on your device).

Expiration Date

This field displays the expiration date of the certificate, as
specified by the certificate issuer.

Certificate Type

This field displays the certificate format. Your device supports
X.509 and WTLS certificate formats.

Public Key Type

This field displays the standard to which the public key
complies. Your device supports RSA®, DSA, Diffie-Hellman, and
ECC keys.

Subject

This field displays information about the certificate subject.

Issuer

This field displays information about the certificate issuer.

Serial Number

This field displays the certificate serial number in hexadecimal
format.

Key Usage

This field displays approved uses of the public key.

Subject Alt Name

This field displays an alternate email address for the certificate
subject, if an alternate email address is available.

SHA1 Thumbprint

This field displays the SHA-1 digital thumbprint of the
certificate.

MD5 Thumbprint

This field displays the MD5 digital thumbprint of the
certificate.

User Guide

Security

260

background image

View one type of certificate in the certificate list

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the

key.

4. Click one of the following menu items:

Show My Certificates
Show Others Certificates
Show CA Certificates
Show Root Certificates

To view all the certificates on your BlackBerry® device, press the

key > Show All Certificates.

Send a certificate

When you send a certificate, your BlackBerry® device sends the public key, but does not send the corresponding private key.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Send via Email or Send via PIN.

Delete a certificate

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Delete.

View the certificate chain for a certificate

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Show Chain.

Certificate status

Status indicators for certificates and certificate authority profiles

Status indicators for certificates

User Guide

Security

261

background image

Indicator

Description

The certificate has a corresponding private key that is stored on your BlackBerry® device or a smart
card.
The certificate chain is trusted and valid, and the revocation status of the certificate chain is good.
The revocation status of the certificate chain is unknown, or a public key for a certificate in the
certificate chain is weak.
The certificate is untrusted or revoked, or a certificate in the certificate chain is untrusted, revoked,
expired, not valid, or cannot be verified.

Status indicators for certificate authority profiles

Indicator

Description

A valid certificate is associated with the certificate authority profile.

A new certificate is being retrieved because the current certificate is scheduled to expire soon.

The enrollment request is pending approval from the certificate authority.

Enrollment with the certificate authority profile is pending because an action from the user is
required to continue, or because enrollment is scheduled to occur later.
Enrollment with the certificate authority profile is required and will occur automatically.

Check the revocation status of a certificate or certificate chain

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Fetch Status or Fetch Chain Status.

Change the trust status of a certificate

Depending on the types of certificates that your administrator allows, you might not be able to trust some types of certificates.

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Trust or Distrust.

5. If you are trusting a certificate, do one of the following:

• To trust the highlighted certificate, click Selected Certificate.
• To trust the highlighted certificate and all the other certificates in the chain, click Entire Chain.

User Guide

Security

262

background image

Revoke a certificate

If you revoke a certificate, the certificate is revoked only in the key store on your BlackBerry® device. Your device does not
update the revocation status on the certificate authority or CRL servers.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Revoke > Yes.

5. Change the Reason field.
6. Click OK.

To cancel a certificate hold, highlight the certificate. Press the

key > Cancel Hold.

Certificate revocation reasons

Reason

Description

Unknown

The revocation reason does not match any of the predefined reasons.

Key Compromise

A person who is not the key subject might have discovered the private key value.

CA Compromise

Someone might have revealed the private key of the certificate issuer.

Change in Affiliation

The certificate subject no longer works for the organization.

Superseded

A new certificate is replacing an existing certificate.

Cessation of Operation

The certificate subject no longer requires the certificate.

Certificate Hold

You want to revoke the certificate temporarily.

Certificate options

Change the display name for a certificate

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Highlight a certificate.
4. Press the

key > Change Label.

5. Type a display name for the certificate.
6. Click OK.

Add an email address to a certificate

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.

User Guide

Security

263

background image

3. Highlight a certificate.
4. Press the

key > Associate Addresses.

5. Press the

key > Add Address.

6. Do one of the following:

• Click a contact.
• Click Use Once. Type an email address. Press the key on the keyboard.

7. Press the

key > Save.

Turn off the display name prompt that appears when you add a certificate to the key store

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the

key > Fetch Certificates.

4. Press the

key > Options.

5. Change the Prompt for Label field to No.
6. Press the

key > Save.

When you add a certificate, your BlackBerry® device uses the certificate subject as the name for the certificate.

Turn off the fetch status prompt that appears when you add a certificate to the key store

1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Press the

key > Fetch Certificates.

4. Press the

key > Options.

• To download the revocation status of a certificate when you add it to the key store, change the Fetch Status field to

Yes.

• To add a certificate to the key store without downloading the revocation status, change the Fetch Status field to No.

5. Press the

key > Save.

Change how often a certificate authority profile checks certificate status

Depending on your organization, you might be able to change how often a certificate authority profile checks the status of its
certificate. If the certificate is scheduled to expire soon you can re-enroll with the certificate authority profile to receive an
updated certificate.
1. On the Home screen or in a folder, click the Options icon.
2. Click Security > Advanced Security Settings > Certificates.
3. Change the Certificate Status Check Interval field.
4. Press the

key > Save.

User Guide

Security

264

background image

Certificate shortcuts

View the label and issuer of a certificate

Press the Space key.

View the properties of a certificate

Press the key.

View the security level of a personal certificate

Press the Alt key and L.

View the serial number of a certificate

Press the Alt key and S.

View certificates for certificate authorities

Press the Alt key and C

View personal certificates and certificates for other people

Press the Alt key and E.

View personal certificates

Press the Alt key and P.

View certificates for other people

Press the Alt key and O.

View root certificates

Press the Alt key and R.

View all certificates

Press the Alt key and A.