Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Dynamics SDK for iOS 5.0
  3. BlackBerry Dynamics SDK For iOS Development Guide
  4. Details of support for client certificates
  5. BlackBerry Dynamics SDK support for personal certificates (PKCS12 or PKI certs)

BlackBerry Dynamics SDK
 support for personal certificates (PKCS12 or PKI certs)

The
BlackBerry Dynamics SDK
 has been enhanced to support personal certificates for authentication of applications at runtime.
No programming is required by the BlackBerry developer on any of the client
BlackBerry Dynamics SDK
 platforms to take advantage of this feature. All operations are carried about by the
BlackBerry Dynamics
 Runtime. The app must use the
BlackBerry Dynamics
 Secure Communication Networking APIs provided in prior releases, the employee’s account must be correctly configured, and the GC must be the 2.0.xx.yy release later.
An enterprise can deploy corporate services requiring two-way SSL/TLS mutual authentication in order to authenticate their employees. Through the enterprise, the employee may be issued or otherwise obtain a password protected Personal Information Exchange file (PKCS12/p12/pfx) containing a SSL/TLS client certificate and private key required by such services for authentication purposes. This file may be installed on various machines and devices, including
BlackBerry Dynamics
 apps, so that access can be granted to these services.

Setup in Good Control

Requirements of the certificates themselves are described in Certificate requirements and troubleshooting.
To deploy Personal Information Exchange files with
BlackBerry Dynamics
 apps, the following steps must be taken to configure the GC and employee’s account. For more information, see the Good Control and Good Proxy Admin Help.
  • After the GC is installed, an administrator may choose to extend the default 24-hour period that an employee’s protected Personal Information Exchange file shall be cached by the GC server.
  • An administrator must add all
    BlackBerry Dynamics
     apps that access services requiring client authentication to the
    Certificates -> App Usage
    tab,
  • An administrator must enable
    Use PKCS12 Certificate Management
     in the employee's security policy,
  • An administrator or employee must upload their Personal Information Exchange files to the
    Certificates
     tab.

Behavior of personal certificates in the app

After the employee activates a
BlackBerry Dynamics
 app enabled for access to server resources requiring client authentication, it receives their Personal Information Exchange files, provided they are still cached on the GC. For each file, the employee is asked to enter their password protecting the file contents, so the identification material can be installed. Once installed, provided the identification is correct, the
BlackBerry Dynamics
 app is granted access to server resources requiring two-way SSL/TLS mutual authentication when connecting.
If there is more than one Personal Information Exchange file required per employee, the
BlackBerry Dynamics
 Runtime ensures that the certificate chosen to send to the server meets all of the following criteria:
  1. Only client certificates suitable for SSL/TLS client authentication are eligible for sending to the server. That is, certificates that have no Key Usage and Extended Key Usage, or Key Usage contains “Digital Signature" or "Key Agreement”, or Extended Key Usage contain "TLS Web Client Authentication”, and those whose Key Usages and Extended Key Usages do not contradict allowances for SSL/TLS client auth.
  2. If the server advertises the client certificate authority in the SSL/TLS handshake, only client certificates issued by these authorities will be considered
  3. Only current client certificates will be considered (that is, certificates that have not expired or are not yet valid)
Usually this is sufficient to identify the correct client certificate, but if there is still more than one certificate meeting all of the above criteria then the first one is used. If the certificate chosen is not the desired one, the administrator or employee can manage this by removing the undesired client certificate from Good Control. The administrator can also increase the chance of success by ensuring the server is configured to advertise the client certificate authority in the SSL/TLS handshake.