BlackBerry Curve 8530 8520 - Certificates

About certificate authority profiles

If your email account uses a BlackBerry® Enterprise Server that supports this feature, you can download certificates over the wireless network
from a certificate authority profile provided by your administrator. Depending on your organization, enrollment for a certificate might be required
and might also occur automatically.

When you enroll with a certificate authority profile, the latest certificate is downloaded to your BlackBerry device and added to your certificate
list. The certificate authority profiles shows the status of the certificate. If the certificate is scheduled to expire soon you can re-enroll with the
certificate authority profile to receive an updated certificate.

Download a certificate from a certificate authority

To perform this task, your work email account must use a BlackBerry® Enterprise Server that supports this feature. For more information, contact
your administrator.

If your administrator has provided you with a certificate authority profile, you can enroll with the profile to download a certificate to your
BlackBerry device. If the certificate is scheduled to expire soon you can re-enroll to receive an updated certificate.

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificate Authority Profile.
5. Click Enroll or Re-enroll.
6. If necessary, type the credentials that you use to connect to your organization's network.

To hide the screen for the certificate authority profile while the request is being processed, press the Menu key. Click Hide. To return to this
screen, on the Home screen, click the Certificate Authority Profile icon.

Import a certificate or PGP key from the device memory

1.

On the Home screen or in a folder, click the Media icon or the Files icon.

2. Navigate to a certificate or PGP® key.
3. Highlight the certificate or PGP key.
4. Press the Menu key.
5. Click Import Certificate or Import PGP Key.

To view the certificate or PGP key, press the Menu key. Click Display Certificate or Display PGP Key.

Import a certificate or PGP key from a media card

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates or PGP Keys.
5. Press the Menu key.

User Guide

Security

268

6. Click Show Media Card Certificates or Show Media Card PGP Keys.

To view the certificate or PGP® key, press the Menu key. Click Display Certificate or Display PGP Key.

View properties for a certificate

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Click a certificate.

Certificate properties

Revocation Status:

This field displays the revocation status of the certificate at a specified date and time.

Trust Status:

This field displays the trust status of the certificate chain. A certificate can be explicitly trusted (the certificate itself is trusted), implicitly
trusted (the root certificate in the certificate chain is trusted on your BlackBerry® device), or not trusted (the certificate is not explicitly
trusted and the root certificate in the certificate chain is not trusted or does not exist on your device).

Expiration Date:

This field displays the date that the certificate issuer specified as the expiration date of the certificate.

Certificate Type:

This field displays the certificate format. Your device supports X.509 and WTLS certificate formats.

Public Key Type:

This field displays the standard to which the public key complies. Your device supports RSA®, DSA, Diffie-Hellman, and ECC keys.

Subject:

This field displays information about the certificate subject.

Issuer:

This field displays information about the certificate issuer.

Serial Number:

This field displays the certificate serial number in hexadecimal format.

Key Usage:

This field displays approved uses of the public key.

Subject Alt Name:

This field displays an alternate email address for the certificate subject, if an alternate email address is available.

User Guide

Security

269

SHA1 Thumbprint:

This field displays the SHA-1 digital thumbprint of the certificate.

MD5 Thumbprint:

This field displays the MD5 digital thumbprint of the certificate.

View one type of certificate in the certificate list

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Press the Menu key.
6. Click one of the following menu items:

• Show My Certs
• Show Others Certs
• Show CA Certs
• Show Root Certs

To view all the certificates on your BlackBerry® device, press the Menu key. Click Show All Certs.

Send a certificate

When you send a certificate, your BlackBerry® device sends the public key, but does not send the corresponding private key.
1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Send via Email or Send via PIN.

Delete a certificate

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Delete.

View the certificate chain for a certificate

1.

On the Home screen or in a folder, click the Options icon.

User Guide

Security

270

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Show Chain.

Certificate status

Status indicators for certificates and certificate authority profiles

Status indicators for certificates

:

The certificate has a corresponding private key that is stored on your BlackBerry® device or a smart card.

:

The certificate chain is trusted and valid, and the revocation status of the certificate chain is good.

:

The revocation status of the certificate chain is unknown, or a public key for a certificate in the certificate chain is weak.

:

The certificate is untrusted or revoked, or a certificate in the certificate chain is untrusted, revoked, expired, not valid, or cannot be verified.

Status indicators for certificate authority profiles

:

A valid certificate is associated with the certificate authority profile.

:

A new certificate is being fetched because the current certificate is scheduled to expire soon.

:

The enrollment request is pending approval from the certificate authority.

:

Enrollment with the certificate authority profile is pending because an action from the user is required to continue, or because enrollment
is scheduled to occur later.

:

Enrollment with the certificate authority profile is required and will occur automatically.

User Guide

Security

271

Check the revocation status of a certificate or certificate chain

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Fetch Status or Fetch Chain Status.

Change the trust status of a certificate

Depending on the types of certificates that your administrator allows, you might not be able to trust some types of certificates.

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Trust or Distrust.
8. If you are trusting a certificate, perform one of the following actions:

• To trust the highlighted certificate, click Selected Certificate.
• To trust the highlighted certificate and all the other certificates in the chain, click Entire Chain.

Revoke a certificate

If you revoke a certificate, the certificate is revoked only in the key store on your BlackBerry® device. Your device does not update the revocation
status on the certificate authority or CRL servers.
1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Revoke.
8. Click Yes.
9. Change the Reason field.
10. Click OK.

To cancel a certificate hold, highlight the certificate. Press the Menu key. Click Cancel Hold.

User Guide

Security

272

Certificate revocation reasons

Unknown:

The revocation reason does not match any of the predefined reasons.

Key Compromise:

A person who is not the key subject might have discovered the private key value.

CA Compromise:

Someone might have revealed the private key of the certificate issuer.

Change in Affiliation:

The certificate subject no longer works for the organization.

Superseded:

A new certificate is replacing an existing certificate.

Cessation of Operation:

The certificate subject no longer requires the certificate.

Certificate Hold:

You want to revoke the certificate temporarily.

Certificate options

Change the display name for a certificate

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Highlight a certificate.
6. Press the Menu key.
7. Click Change Label.
8. Type a display name for the certificate.
9. Click OK.

Add an email address to a certificate

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.

User Guide

Security

273

5. Highlight a certificate.
6. Press the Menu key.
7. Click Associate Addresses.
8. Press the Menu key.
9. Click Add Address.
10. Perform one of the following actions:

• Click a contact.
• Click Use Once. Type an email address. Press the Enter key.

11. Press the Menu key.
12. Click Save.

Turn off the display name prompt that appears when you add a certificate to the key store

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Press the Menu key.
6. Click Fetch Certificates.
7. Press the Menu key.
8. Click Options.
9. Change the Prompt for Label field to No.
10. Press the Menu key.
11. Click Save.

When you add a certificate, your BlackBerry® device uses the certificate subject as the name for the certificate.

Turn off the fetch status prompt that appears when you add a certificate to the key store

1.

On the Home screen or in a folder, click the Options icon.

2. Click Security Options.
3. Click Advanced Security Options.
4. Click Certificates.
5. Press the Menu key.
6. Click Fetch Certificates.
7. Press the Menu key.
8. Click Options.
9. Perform one of the following actions:

• To download the revocation status of a certificate when you add it to the key store, change the Fetch Status field to Yes.
• To add a certificate to the key store without downloading the revocation status, change the Fetch Status field to No.

10. Press the Menu key.
11. Click Save.

User Guide

Security

274