Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.13
  3. Administration
  4. Securing connections using PKI
  5. Sending certificates to devices and apps using profiles
  6. Sending client certificates to devices and apps using user credential profiles
  7. Create a user credential profile to use certificates from the native keystore on Android devices

Create a user credential profile to use certificates from the native keystore on 
Android
 devices

You can configure the user certificate profile to allow 
BlackBerry Dynamics
 apps to use a certificate from the native keystore on 
Android
 devices. You can allow 
BlackBerry Dynamics
 apps to use any certificate that had been added to the keystore or you can define restrictions on which certificate the app can choose. For example, if you are using an app-based PKI solution such as 
Purebred
 that adds certificates to the native keystore, you can force the app to select a certificate issued by your 
Purebred
 PKI solution and require that the app use certificates with specified capabilities.
  1. On the menu bar, click 
    Policies and Profiles
    .
  2. Click 
    Certificates > User credential
    .
  3. Click The Add icon.
  4. Type a name and description for the profile. Each certificate profile must have a unique name.
  5. In the 
    Certificate authority connection
     drop-down list, select 
    Native keystore
    .
  6. To specify which certificate the 
    BlackBerry Dynamics
     app will use, perform the following actions:
    1. Beside 
      Issuers
      , click The Add icon and type the issuer name.
      BlackBerry Dynamics
       apps will only use a certificate if the specified issuer matches the 
      OpenSSL
       short-form OID in the certificate. You can copy this value from the issuer's certificate. Do not put spaces before or after equal sign (=). For example: 
      CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme,C=Can
                          CN=Acme_cert SMIME,OU=Acme_Legal,O=Acme
                          CN=Acme_cert TLS
    2. In the 
      Key usage
       section, select the operations that the certificate supports.
      BlackBerry Dynamics
       apps will only use certificates that have at least the specified key usage value set. For example, an encryption certificate may have a key usage value of 
      Key encipherment
      . An authentication certificate may have a key usage value of 
      Digital signature
      . A signing certificate may have a key usage value of both 
      Digital signature
       and 
      Nonrepudiation
      .
    3. In the 
      Extended key usage
       section, select the functions that the certificate was issued for. 
      BlackBerry Dynamics
       apps will only use certificates if all selected extended key usage values are present in the certificate. Certificates can have additional extended key usage values.
    4. If the certificate was issued for purposes other than email, client authentication, or smart card login, select 
      Additional Object ID usage
      , click The Add icon and specify the OID for the key usage. For example, if the certificate will be used for server authentication, it may have the OID 1.3.6.1.5.5.7.3.1
  7. If you want the device to delete expired certificates, select 
    Delete expired certificates
    .
    Expired encryption certificates used for S/MIME should be retained on the device to allow users to read messages that were encrypted before the certificate expired.
  8. If you want the device to delete duplicate certificates, select 
    Remove duplicate certificates
    . The device deletes the certificate that has the earliest start date.
  9. Click 
    Add
    .