If you are using Internet Explorer, please remove blackberry.com from your compatibility view settings.

Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Hi Marduo1294,

 

I am pointing the BB Administration Service shared network drive correctly and the BES service account has read and write rights on the share.

 

But I don't see any certificates (except the default ones) on my device.

 

I have copied the root certificate uner shared\certificates\MyCompanyRootCertificate.cer...

But there are 4 folders there:

ENTERPRISE

VPN

WIFI

WWW

 

Where should I copy the root certificate?

 

I just tested another activation now and I need to enter the AD password during activation, then the activation process completes without any errors, and everything is working fine.

 

Then I changed my AD account's password, and I am not receiving EMail on my BB10 anymore without any notification on the device.

 

What else could I be doing wrong?

 

Thank you for your help!

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10

Hi Romax,

Romax wrote: 
I have copied the root certificate uner shared\certificates\MyCompanyRootCertificate.cer...

But there are 4 folders there:

ENTERPRISE

VPN

WIFI

WWW

 

Where should I copy the root certificate?


 

In a 10.0.x setup the CA certs should go into the WWW folder. In a 10.1.x setup they should apparently be in the ENTERPRISE folder. However in our 10.1.x deployment we have our CA certs in WWW and it's working fine. We did upgrade ours from 10.0.x originally however, so this may be why it's still working with them there.

 

One thing - in 10.0.x the certs need to be in .pem format, not .cer. I can't remember whether that requirement changed in 10.1.x - but ours are still in .pem format and working fine.

 

Also make sure your issuing and any intermediate CA certs are also in that folder with the root CA cert (unless you've got a 1-tier PKI where your root CA is your issuing CA).

 

 


Romax wrote: 

I just tested another activation now and I need to enter the AD password during activation, then the activation process completes without any errors, and everything is working fine.

 

Then I changed my AD account's password, and I am not receiving EMail on my BB10 anymore without any notification on the device.

 


This shows the CBA isn't working correctly - you will not be prompted for AD credentials anywhere in the activation process if CBA is working.

Can you see the user certs being issued on your CA after activation?

 

Regards,

 

Jacob

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Thanks for your prompt reply.

 

2 questions then:

 

1. How to get my certificates in .pem format? ...after googling, I found that I could convert them using openSSL, I tried that, but no luck.  Is there a way in Windows to export the certs directly in .pem format?

 

2. What is or what do you call a CBA?

 

(sorry for the noobish questions...)

 

Cheers!

 

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: Configuring SCEP server with BB10

The root CA should be copied to the WWW folder. For a description of these folders look to page 97 of the BES10_v10.1.1_BDS_Advanced_Admin_Guide_en.pdf.

 

After you copy the certs, wait a few minutes (5 minutes?) and then check your device.

 

You know cert auth is working when you are never asked for your Exchange password. The fact that you are still asked for it during activation means that cert auth is not working. Have you checked if a cert was issued from the CA server?

 

About the certificate format, the standard export without private key to .cer file using the Certificate console works. If you still want to try .cer to PEM here's a site below. I've never used this site before before but i recognize some of the openssl commands.

 

The Most Common OpenSSL Commands
http://www.sslshopper.com/article-most-common-openssl-commands.html

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 490
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: Configuring SCEP server with BB10


Romax wrote:

Hi everyone,

 

Sorry, I am double-posting, but I have advanced a bit...

 

I managed to activate the device (the problem was that the erollement password was dynamic... I am sorry for my mistake before).

 

However, I have another issue now.

Exchange doesn't seem to be able to accept the certificate.

 

I don't see the certificate in the "certificates" section in the settings on the device, and I had to enter all passwords after the activation process manually.

 

I will check the logs on the CA, and post again.

 

Thanks for the help!


You will not currently be able to see the certificate issued through SCEP on the device.  You can view this cert by going to your CA and verifying that the cert is listed under the issued certificates section. 

 

If your UPN doesn't equal your SMTP address you will need to make sure the server you are using is at least at 10.1 version and the handheld code is 10.1 or later as well.

 

You mention that Mobile Iron is working.  Is it pointed at the same CAS?  If it isn't verify that the CAS that the BlackBerry smartphones are pointed at is configured to use cert-based authentication.  

 

If they are both pointed at the same Exchange Server you may want to view a certificate issued through MobileIron that is working vs one issued via BES.  I'd look at the values in the subject and SAN fields.

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10

Hi Romax,

   Just to answer your questions:


Romax wrote:

 

1. How to get my certificates in .pem format? ...after googling, I found that I could convert them using openSSL, I tried that, but no luck.  Is there a way in Windows to export the certs directly in .pem format?

  


On the SSLShopper page that Marduo linked to this section describes the right command:

 

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

 


Romax wrote:

 

2. What is or what do you call a CBA?

  


CBA is Certificate Based Authentication - it's just a term the refers to using user certs to login to Exchange instead of username/password pairs.

 

Regards,

 

Jacob

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

[ Edited ]

Hi All,

 

Many thanks for the feedback.

 

here's where I am now:

 

I can see both ROOT and Issuing intermediate certs on my device.

I copied them in .cer (64) format to the share under both Enterprise and WWW folders.

(Files that I have exported from the mmc console)

 

However, I still need to enter my AD account password during activation.

 

I checked on the CA, and there is a certificate issued for my user, but it's only for internet browsing... and not for ActiveSync... So I believe it is not using the right template.

 

So I opened my registry editor, and found out that we have 3 templates... 2 default ones, and a thrid one we are using for MobilIron.

 

I am getting one of the default, and I need to get the one for Mobile Iron.

 

So my next questions:

 

1. Whish value (if any) in the settings defines which template will be used for the issued certificate?

 

2. Where do I find the correct "thumbprint" for the root certificate that I need to enter in the SCEP profile on the BES?

 

3. Any other advice or thing I could do?

 

 

 

EDIT:

 

I managed to get the correct template, with the ActiveSync rights. (The same as mobileIron)...
I still has to enter the password at activation...

 

So I can see that the requested has been made by SCEP to the CA for the right certificate using the right template, however, how can I check if the ceritifcate has been delivered to my device?

 

 

Cheers everyone!

 

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: Configuring SCEP server with BB10

 

 

1. On the SCEP server, the registry for the templates at HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP corresponds to the 3 possible requests it might get. It depends on how the template is setup but usually you will make them all the same. You need to restart IIS after making a change.

 

2. Here's a nice article to find your "thumbprint". Dont forget to remove the spaces. :smileyhappy:

 

The NDES CA Thumbprint Hash  Certified Security SolutionsCertified Security Solutions
http://www.css-security.com/blog/the-ndes-ca-thumbprint-hash

 

3. On the BES server, did you associate your SCEP profile to your Email profile?

 

4. To view SCEP issued certificate, Settings --> Security and Privacy --> Certificates --> Enterprise Client Certificates

 

KB32286-Unable to view SCEP issued certificate on the BlackBerry Playbook or BlackBerry 10 Smartphone
http://www.blackberry.com/btsc/KB32286

 

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

[ Edited ]

Hi Marduo, Thanks a lot for your reply!

 

1. That has been done, IIS restarted. THe template is the same as MobileIron.

 

2. I am sorry, as this is very confuding for me, I just pasted the hash key I found in the

http://servername/CertSrv/mscep_admin/

page...

 

Please let me know if this is correct.

 

3. Yes

 

4. It's not there... this section is empty. I guess the certificate is not being delivered to the device, hence, I need to update my passwords on the device when I change them in AD.

 

 

EDIT:

 

Ultimate question: When exporting the root and issuning certificates from the mmc console, which format shall I choose? DER or 64bits?

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: Configuring SCEP server with BB10

[ Edited ]

 

1. your hash is correct.

 

2. DER or base-64 works fine.

 

3. From the CA server, was a certificate issued?

 

4. From the SCEP server, what does the IIS logs say?

 

5. About your MobileIron certificate template, what did you use for the subject name?

 

EDIT:

 

6. From the SCEP server, what errors are you getting in the event logs?

Please use plain text.