Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.13
  3. Administration
  4. Email, calendar, and contacts
  5. Extending email security using S/MIME
  6. Retrieving S/MIME certificates

Retrieving S/MIME certificates

You can use certificate retrieval profiles to allow 
BlackBerry 10
 devices to search for and retrieve recipients' S/MIME certificates from LDAP certificate servers. If a required S/MIME certificate is not already in a device's certificate store, the device retrieves it from the server and imports it into the certificate store automatically.
BlackBerry 10
 devices search each LDAP certificate server that you specify in the profile and retrieve the S/MIME certificate. If there is more than one S/MIME certificate and a device is unable to determine the preferred one, the device displays all the S/MIME certificates so that the user can choose which one to use.
You can require that devices use either simple authentication or 
Kerberos
 authentication to authenticate with LDAP certificate servers. If you require that devices use simple authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices can automatically authenticate with LDAP certificate servers. If you require that devices use 
Kerberos
 authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices that are running 
BlackBerry 10 OS
 version 10.3.1 and later can automatically authenticate with LDAP certificate servers. Otherwise, the device prompts the user for the required authentication credentials the first time that the device attempts to authenticate with an LDAP certificate server. For devices that are running 
BlackBerry 10 OS
 version 10.2.1 to 10.3, the device prompts the user for the required authentication credentials the first time that the device attempts to authenticate with an LDAP certificate server.
If you implement 
Kerberos
 authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about creating and assigning a single sign-on profile, see Setting up single sign-on authentication for devices.
If you do not create a certificate retrieval profile and assign it to user accounts, user groups, or device groups, users must manually import S/MIME certificates from a work email attachment or a computer.