Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
Posts: 16
Registered: ‎04-08-2013
My Device: BES10 and Z10
My Carrier: Vodafone

BES10 and Z10 with certificates

I setup a Z10 device together with BES10 using basic authentication to our Exchange 2007 mailserver.

This is working all fine without problems. So AS in general is working fine !

I than switched the Exchange auth to certificates required mode and tried to create a SCEP profile to deploy client certificates using our company MS Windows 2003 CA server.

This did not work at all. Because of the missing documentation about how to setup the SCEP profile on the BES10 I don't now what to do next.

I even don't know if it is possible to use BES10 SCEP e-mail profiles together with a Windows 2003 CA.

 

Maybe someone has an idea how I should go on further.

I need the possibility to publish the certificates from a central admin point within the BB Device Service.

 

regards,

Markus

Guru III
Posts: 32,130
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry PRIV, Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook,BT Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: BES10 and Z10 with certificates

did you create a server share to store the certs?

 

this is also the same share to add in a work space wall paper

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


Contributor
Posts: 16
Registered: ‎04-08-2013
My Device: BES10 and Z10
My Carrier: Vodafone

Re: BES10 and Z10 with certificates

No, I did not create a share.

Is that a prereg. to use SCEP profiles ?

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: BES10 and Z10 with certificates

[ Edited ]

Do you have the Microsoft SCEP addon installed?

 

http://www.microsoft.com/en-us/download/details.aspx?id=2178

 

The SCEP profile is just pushing out the information that will be used to generate the CSR and request a certfiicate from your CA.

Contributor
Posts: 16
Registered: ‎04-08-2013
My Device: BES10 and Z10
My Carrier: Vodafone

Re: BES10 and Z10 with certificates

Yes, it is in place and working.

I can connect to the website manually and get the passphrase.

What I found is, that with 2003 CA it seems not possible to set the single passphrase parameter in the registry.

 

At the moment I try to setup the certificate auth manually.

So, I pushed the root certificate to the Z10. Now I need the client certificate and I'm wondering which option I have to check to import the cert to the Z10. First I choosed Blackberry device, but this did not work.

Contributor
Posts: 16
Registered: ‎04-08-2013
My Device: BES10 and Z10
My Carrier: Vodafone

Re: BES10 and Z10 with certificates

In this thread it is stated that certificate auth. without using SCEP is not possible.

Can someone confirm that.

I tried all the day now to setup cert. based auth  manually by installing root and user cert without any success. If it is true that it is not possible yet, I can stop trying to set it up.

 

http://208.74.204.192/t5/BlackBerry-Enterprise-Service-10/Blackberry-Z10-on-MS-Exchange-ActiveSync-A...

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: BES10 and Z10 with certificates


godik wrote:

In this thread it is stated that certificate auth. without using SCEP is not possible.

Can someone confirm that.

I tried all the day now to setup cert. based auth  manually by installing root and user cert without any success. If it is true that it is not possible yet, I can stop trying to set it up.

 

http://208.74.204.192/t5/BlackBerry-Enterprise-Service-10/Blackberry-Z10-on-MS-Exchange-ActiveSync-A...


The native email client requires BDS & SCEP to use user certificates with ActiveSync. 

There are third-party mail clients in BlackBerry World such as Touchdown or K9 that you may be able to configure to use user certificates with ActiveSync accounts.  However I can't recommend any of them as I have only used the native client.

Highlighted
BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: BES10 and Z10 with certificates


godik wrote:

Yes, it is in place and working.

I can connect to the website manually and get the passphrase.

What I found is, that with 2003 CA it seems not possible to set the single passphrase parameter in the registry.

 

At the moment I try to setup the certificate auth manually.

So, I pushed the root certificate to the Z10. Now I need the client certificate and I'm wondering which option I have to check to import the cert to the Z10. First I choosed Blackberry device, but this did not work.


If you are not able to enable Single Password mode then that would be a problem.  BDS won't support Dynamic Challenge Keys until a later version.  You would need to edit the SCEP profile with the Dynamic Challenge Key each time you want to enroll a user and push it out to them and get them to EA prior to the key expriing.