Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.13
  3. Administration
  4. Email, calendar, and contacts
  5. Extending email security using S/MIME
  6. Retrieving S/MIME certificates
  7. Create a certificate retrieval profile

Create a certificate retrieval profile

  • To allow devices to trust LDAP certificate servers when they make secure connections, you might need to distribute CA certificates to devices. If necessary, create CA certificate profiles and assign them to user accounts, user groups, or device groups. For more information about CA certificates, see Sending CA certificates to devices and apps.
  • If you implement 
    Kerberos
     authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about single sign-on profiles, see Setting up single sign-on authentication for devices.
  1. On the menu bar, click 
    Policies and Profiles
    .
  2. Click 
    Certificates > Certificate retrieval
    .
  3. Click The Add icon.
  4. Type a name and description for the certificate retrieval profile.
  5. In the table, click The Add icon.
  6. In the 
    Service URL
     field, type the FQDN of an LDAP certificate server using the format ldap://
    <fqdn>
    :
    <port>
    . (For example, ldap://server01.example.com:389).
  7. In the 
    Search base
     field, type the base DN that is the starting point for LDAP certificate server searches.
  8. In the 
    Search scope
     drop-down list, perform one of the following actions:
    • To search the base object only (base DN), click 
      Base
      . This option is the default value.
    • To search one level below the base object, but not the base object itself, click 
      One level
      .
    • To search the base object and all levels below it, click 
      Subtree
      .
    • To search all levels below the base object, but not the base object itself, click 
      Children
      .
  9. If authentication is required, perform the following actions:
    1. In the 
      Authentication type
       drop-down list, click 
      Simple
       or 
      Kerberos
      .
    2. In the 
      LDAP user ID
       field, type the DN of an account that has search permissions on the LDAP certificate server (for example, cn=admin,dc=example,dc=com).
    3. In the 
      LDAP password
       field, type the password for the account that has search permissions on the LDAP certificate server.
  10. If necessary, select the 
    Use secure connection
     check box.
  11. In the 
    Connection timeout
     field, type the amount of time, in seconds, that the device waits for the LDAP certificate server to respond.
  12. Click 
    Add
    .
  13. Repeat steps 5 to 11 for each LDAP certificate server.
  14. Click 
    Add
    .
  • To allow 
    BlackBerry 10
     devices to check certificate status, create an OCSP or CRL profile.
  • If necessary, rank profiles.