Using a PKI connector to implement custom certificate requirements
BlackBerry UEM
can connect to a CA to obtain a certificate and send it to a client BlackBerry
Dynamics
app for authentication (for example, Entrust
or PKI connections), or it can assist the client app in retrieving the certificate directly from a CA (for example, using SCEP to retrieve a PKCS12 file).UEM
uses the BlackBerry
Dynamics
User Certificate Management protocol to fetch and enroll a certificate when the BlackBerry Dynamics Runtime
makes a request for the certificate. The protocol runs over HTTPS and defines JSON-formatted messages. This document details the administrator actions involved in this process and the APIs that UEM
uses to execute it. The APIs are supported by UEM
version 12.10 or later or BlackBerry UEM Cloud
, and are available to BlackBerry
Dynamics
apps that use the BlackBerry Dynamics SDK
version 2.1 or later.If you want to implement specific requirements or procedures when a certificate is retrieved from a CA (for example, if a user’s password or smart card authentication is required), you can establish a back-end server that implements this protocol and the associated APIs to accept a request from
UEM
and interface with your enterprise CA. This server is called a PKI connector. When a BlackBerry
Dynamics
app makes a certificate request to UEM
, UEM
calls your PKI connector to interface with your CA and apply any required processes to retrieve and provide the certificate.Note that
UEM
may already support your CA solution, so establishing a PKI connector may not be required. For more information about the CA solutions that UEM
supports, see Sending CA certificates to devices and apps in the UEM
Administration content.A sample implementation of a PKI connector is described in the PKI connector sample implementation section of this guide. Your organization’s developers can use the API documentation in this guide and the sample implementation (a .zip package) to establish a PKI connector that can interact with
UEM
.