If you are using Internet Explorer, please remove blackberry.com from your compatibility view settings.

Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Super Contributor
swotam
Posts: 323
Registered: ‎05-10-2011
My Device: Z10

How to Deploy User Certificate via BDS?

OK, so perhaps I'm being dense, but how can I deploy a user certificate to a device via BDS? With UDS you can manually add the certificate within the user settings and it will be sent OTA to the device, but all I see in the BDS docs are references to SCEP.

 

Is SCEP the only way to get a user certificate provisioned via BDS?

 

If SCEP is the only way, or even the recommended way, does anyone have any documentation that might shed more light on how to configure it with a Microsoft CA? I find the BDS and UDS docs to be extremely vague in this regard and I'm admittedly not as familiar with the subject as I should be.

 

Thanks.

----------
BESX 5.0.4, SQL 2008, Exchange 2010 SP2 RU4a
Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 490
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: How to Deploy User Certificate via BDS?

[ Edited ]

Depends what kind of profile you are trying to associate it too.  If you are trying to use a user cert with an EAS profile you will need SCEP.  Microsoft's implementation of SCEP is NDES which is another role that is installed through the Server Manager in Windows.  It can either be on your internal CA or on another host in your environment.

 

Microsoft has a good whitepaper that goes over setting it up:  http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-nd...

 

Please use plain text.
Super Contributor
swotam
Posts: 323
Registered: ‎05-10-2011
My Device: Z10

Re: How to Deploy User Certificate via BDS?

We are specifically looking to do certificate-based authentication to a WiFi network using RADIUS/PEAP/TLS. This setup requires the WiFi profile to use the user login name as the "User Name" for the WiFi connection, and to use the user's certificate as the Password to connect.

This is a new initiative within the organization, and while we do have a Microsoft CA setup I'm not sure what the status might be of NDES.

Thanks for the link, I'll check it out.
----------
BESX 5.0.4, SQL 2008, Exchange 2010 SP2 RU4a
Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 490
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: How to Deploy User Certificate via BDS?

If it was a generic wifi certificate you could push it out to all your users through BDS by putting it in the certificates wifi folder in the BAS share.

 

It sounds like you need a different cert for every user and that would require a SCEP profile attached to the WIFI profile.  One thing to note with BDS and SCEP is that the SCEP service must be configured for singlepassword.  It currently doesn't support a dynamic challenge key.

Please use plain text.
Super Contributor
swotam
Posts: 323
Registered: ‎05-10-2011
My Device: Z10

Re: How to Deploy User Certificate via BDS?

Sounds good, I'll keep that in mind. Now to go chat with the "AD guy" about all this....
----------
BESX 5.0.4, SQL 2008, Exchange 2010 SP2 RU4a
Please use plain text.
New Contributor
pchoi
Posts: 4
Registered: ‎03-26-2013
My Device: Z10
My Carrier: TMOBILE

Re: How to Deploy User Certificate via BDS?

As a follow-on on this, do we need a PKI service from a third party CA to do this? I've contacted a lot of CA's and they dont seem to understand what Im asking for.

 

Thnx

Please use plain text.
New Contributor
marsax
Posts: 3
Registered: ‎03-25-2013
My Device: Z10
My Carrier: Swisscom

Re: How to Deploy User Certificate via BDS?

Please use plain text.