1. segri01's Avatar
    I've got an iPhone and an Android device that will go in a drawer as soon as I can figure out how to get the Z10 to access my company's email.

    The iPhone and the Android both access my corporate email via a certificate that the IT folks issue to me. I install the certificate onto the device and I've got access to email, calendar, and contacts. Works like a charm. I've been wrestling with how to import the certificate onto the Z10 and so far I'm losing the fight. I've searched all the BlackBerry Support and CrackBerry forums and no luck. There's 1 screen on the internal Z10 help, but it doesn't seem to work.

    My IT guys are telling me that the only way to push a certificate to a Z10 is via BES 10 and since I work for a US-based company that won't get access to the new devices for another 2-3 months at least, we won't be upgrading our BES servers until then.

    Does anybody have any tips/tricks on how to push a certificate to a Z10 and how to import it into the device? Any help at all is appreciated!
    02-08-13 09:29 AM
  2. GoJaysGo's Avatar
    Hi there,

    I just signed up to specifically answer this for you.

    We use 802.1X WiFi, and don't have a BES10 server yet. So it's very possible to do this without a BES10 server.

    You have to create a certificate request, and I use Mac OSX Keychain to do this. Once I feed this into my Microsoft Active Directory Certificate Authority, it spits out my certificate.
    I then import the certificate back into my Mac, as I need the private key assosciated with the certificate I just created.
    Once, imported, I then export the certificate and private key into a .p12 file.
    Once I have this file, the trick is to import it onto the Z10.
    Connect your Z10 to your computer via USB.
    Install Link
    Once link is installed, get the IP address of your Z10.
    You can get this in the settings, and under Hardware, (sorry I don't have my Z10 in front of me)
    Once you get your IP address, you connect to it via \\169.83.234.30 (for example)
    Once connected you should have 3 shares pop up.
    One of them is a Cert's share.
    Dump your .p12 file into this.

    Then you import them on your Z10 from the security menu>certificates. Make sure you select Personal certificate (2nd option, remeber I don't have my Z10 on me)

    I hope this helps.

    We were able to successfully install certificates to the Z10 this way.

    With BES10, you can push the certificates with SCEP server and enjoy auto certificate enrollment.

    I hope this helps.

    If you have any question, please let me know.
    Mr. Black likes this.
    02-08-13 09:45 AM
  3. segri01's Avatar
    Thanks for the tip. I found some similar instructions on the BlackBerry support page here Import a certificate from your computer - How To - BlackBerry Z10 Smartphone - 10.0.0

    The piece that's got me pulling my hair out is that as soon as I connect to the Z10 (in my case, from a Mac), it asks me if I want to connect as a guest or as a registered user. I've tried guest, with no luck. I've also tried the registered user option but ti asks me for the name and password for the device. I've tried every option I can think of and have even wiped the drive back to factory defaults, all with no luck. I've searched through the BB support pages but there's no mention of this anywhere.
    02-08-13 10:12 AM
  4. GoJaysGo's Avatar
    I couldn't get it to connect via my iMac either, or through my parallels VM running on my iMac, even with Link installed. I had to plug it into a PC Laptop, and then install all the BlackBerry Link software. Once I did that, I was able to copy the certs. to the Certs folder.
    02-08-13 11:02 AM
  5. pabs77's Avatar
    Quick question on this. Assuming you have successfully added the certifcate as suggested above how do you associate it with the activesync account during the account set up process?
    02-15-13 12:26 PM
  6. Boots4283's Avatar
    Tell your IT department quit being cheap-asses and to buy a real certificate. Let me guess...Selfsigned? Or is your company really requiring client certificates?
    02-15-13 01:04 PM
  7. Omnitech's Avatar
    Tell your IT department quit being cheap-asses and to buy a real certificate. Let me guess...Selfsigned? Or is your company really requiring client certificates?
    Many companies use self-signed certificates on internal networks because they are not public networks using public IP addresses, among other things. (Public certificate authorities are of no use if the host in question does not have an internet-resolvable hostname. Many companies use internal DNS via Microsoft Active Directory because AD pretty much requires you to do so unless you want a big headache.)

    Also, the Z10 PDF documentation says NOTHING about how to import certificates. All it says is "Talk to your administrator".

    In fact, I never saw that Blackberry documentation article before either, I'll bet it was just created in the last few days. Because I searched all over their support site for an answer to that question just a few days ago. (Maybe the problem is that their search engine sucks, since apparently it must have existed at least by 2/8 or segri01 wouldn't have found it on that date.)
    02-16-13 05:22 AM
  8. pabs77's Avatar
    I think it is self signed, but not 100% sure exactly what that means. For Android our IT department emails you a certifcate and a password, during the activesync account set up on Andorids native mail client you can select a cert and import it, you then enter the password IT gave you and viola a few IT policies are pushed to the device and you start getting mail. On iOS the set-up involves you going to a website, logging in with corp username and RSA token credentials then it walks you through a profile installation which imports a certificate and prompts for the cert password (which IT sends you in advance). Not the most elegant solutions from a user standpoint but they work, when it comes to BB10 the cert import process is straight forward but it breaks down when it comes to setting up the activesync account there is no way to tell the device to use that cert when trying to connect to our mail server so it can't connect or authenticate against the mail server. Any suggestions?
    02-20-13 08:24 AM
  9. Boots4283's Avatar
    Many companies use self-signed certificates on internal networks because they are not public networks using public IP addresses, among other things. (Public certificate authorities are of no use if the host in question does not have an internet-resolvable hostname. Many companies use internal DNS via Microsoft Active Directory because AD pretty much requires you to do so unless you want a big headache.)

    Also, the Z10 PDF documentation says NOTHING about how to import certificates. All it says is "Talk to your administrator".

    In fact, I never saw that Blackberry documentation article before either, I'll bet it was just created in the last few days. Because I searched all over their support site for an answer to that question just a few days ago. (Maybe the problem is that their search engine sucks, since apparently it must have existed at least by 2/8 or segri01 wouldn't have found it on that date.)
    Yes, I realize this and I know you are correct. I know AD, Exchange and BES very well. My point being is that self-signed certificates are more pain than they are worth.
    02-20-13 10:56 AM
  10. Boots4283's Avatar
    Go to the website that use use to check email(OWA) Click on the lock icon on your browser and view the certificate. If it is not signed by something like Entrust, Verisign, GoDaddy etc you probably have a self-signed certificate.
    02-20-13 10:59 AM
  11. Omnitech's Avatar
    I think it is self signed, but not 100% sure exactly what that means. For Android our IT department emails you a certifcate and a password, during the activesync account set up on Andorids native mail client you can select a cert and import it, you then enter the password IT gave you and viola a few IT policies are pushed to the device and you start getting mail. On iOS the set-up involves you going to a website, logging in with corp username and RSA token credentials then it walks you through a profile installation which imports a certificate and prompts for the cert password (which IT sends you in advance). Not the most elegant solutions from a user standpoint but they work, when it comes to BB10 the cert import process is straight forward but it breaks down when it comes to setting up the activesync account there is no way to tell the device to use that cert when trying to connect to our mail server so it can't connect or authenticate against the mail server. Any suggestions?
    Well there are 2 main scenarios where you might need to import a certificate.

    If your IT dept is using an internal certificate authority (CA), then you will need to import their CA certificate so the device trusts it. (It comes pre-loaded with CA certs from a variety of known/trusted public CA's, but those won't help you as per my previous comment if your company uses an internal CA.) When we say "self-signed" that generally means a certificate which does not link back to a known public CA. (Or your internal CA if you have already imported their root CA cert.)

    The other type of cert is a personal cert, ie to authenticate yourself as a member of staff, in order to use their WiFi network, or to use their email server, etc. Here is a link to a document from Microsoft that describes the process of setting up an Exchange server to use certificates for user authentication.

    So you're saying that you believe that the process of importing the personal cert into the Z10 worked OK, but when it came to the point where you needed to connect to your mail server, there was no mechanism to select that newly-imported cert to identify you to the server?

    Is SSL turned-on for the Exchange account on the Z10? There are some screenshots showing this in another thread here.

    Some info I've seen (ie this page) suggests that in some cases, connecting via WiFi, at least initially, might be more successful for getting EAS working than using the cellular data link.
    02-21-13 12:31 AM
  12. pabs77's Avatar
    Omnitech, based on your above comment I would say 100% we are dealing with a personal cert. as described in this Microsoft Article you sent the link for, copied below:

    Once the certificate is on the device, the user can configure the Exchange ActiveSync client (usually a mail app) on the device. When configuring EAS for the first time, users will be required to enter their credentials. When the device communicates with the Client Access Server for the first time, users will be prompted to select their certificate. After this is configured, if users check the account properties, they'll see a message similar to the following:

    Microsoft Exchange uses certificates to authenticate users when they log on. (A user name and password is not required.)

    Question: On iOS and Android we have a working process as I previsouly stated. Being a former RIM employee I reached out to a friend at RIM who definitely has the right background to answer this question, he said Certificate based authentication (CBA) must be facilitated by the BES10 as it stands now and that BB10 would eventually support CBA on device but its coming in a future update. I simply can't accept that BlackBerry 10 wouldn't be able to connect while Android and iOS can it just seems backwards given RIM's business roots.

    If anyone has suggestions happy to hear them.

    Thanks!
    02-25-13 08:33 AM
  13. Omnitech's Avatar
    Question: On iOS and Android we have a working process as I previsouly stated. Being a former RIM employee I reached out to a friend at RIM who definitely has the right background to answer this question, he said Certificate based authentication (CBA) must be facilitated by the BES10 as it stands now and that BB10 would eventually support CBA on device but its coming in a future update. I simply can't accept that BlackBerry 10 wouldn't be able to connect while Android and iOS can it just seems backwards given RIM's business roots.

    If anyone has suggestions happy to hear them.

    Thanks!
    Well first of all, are you sure that your IT department is actually using BES10? I'm under the impression that there aren't that many running BES10 in production yet. (Though there are apparently a significant number running BES10's predecessor, referred to as "Mobile Fusion" - but Mobile Fusion does not support BB10 devices.)

    If the Android and iOS devices at your company are connecting, most likely they are just connecting to a standard MS Exchange server, not through BES10.

    I can't tell from your comments if your RIM staff friend meant that CBA doesn't work on BB10 devices for ANY MS Exchange connection, or whether it was just a BES10 limitation.

    Unfortunately as BB10 was written from scratch it appears that there are a variety of examples where traditional BBOS functionality did not make it into the initial BB10 release. Some of those cases were clearly intentional (ie trying to simplify things for the kind of customer that would normally find Apple devices appealing), some were probably due to time/resource constraints, and some may be simply because many of the QNX people are not the same people that designed the traditional JavaME-based Blackberry platform, and are still in the process of digesting some of the traditional elements of it.

    I have seen fairly concrete evidence that BBRY is planning to add some of the things that traditional BB users are missing in BB10 so far, such as more flexible notifications, better "bedside-mode", tethered syncing with Outlook, etc. So in this case I would be very surprised if this is indeed a missing feature, if it does not re-appear.

    In the meantime, if it turns out that CBA is totally unsupported on BB10 at the moment, can you ask your Exchange admin if s/he can write a policy exception for you to allow you a different form of authentication for your Z10 until that changes? I believe you can make device-by-device policy exceptions in Exchange, though not being an MS Exchange or BES admin myself I'm not 100% sure.
    02-25-13 04:55 PM
  14. DivideBYZero's Avatar
    My corporation has BES10. It's out there.
    02-25-13 05:55 PM
  15. pabs77's Avatar
    Omnitech,

    Let me clarify a few things. My company is not using BES10 or any other MDM solution they are try to avoid the overhead costs of running a server side solution. Everything connects through active sync and a device side user certificate.

    My RIM staff friend basically said that CBA would require the BES10 to facilitate the certificate authentication through SCEP
    Slightly over my head but that's the answer I got. The capability of assigning a user cert during the active sync account set up on the device is coming however no ETA not even on the road map.

    I like your idea about getting an exception with my IT department to authenticate with some other means might give that a try.

    I also tried side loading the touchdown android app which used to be required to connect up certain android devices that didn't support CBA but haven't had success setting it up it doesn't see the cert on my SD card probably something to do with it being an Android app and might not have access to device storage.

    I love the Z10 its way better then the HTC One X I was forced to use after leaving RIM but not having Corp mail is a real short coming. Right now I am swapping back and forth between my one X and Z10 for this reason.


    Posted via CB10
    RezzaBuh likes this.
    02-25-13 07:34 PM
  16. Omnitech's Avatar
    My company is not using BES10 or any other MDM solution they are try to avoid the overhead costs of running a server side solution. Everything connects through active sync and a device side user certificate.

    My RIM staff friend basically said that CBA would require the BES10 to facilitate the certificate authentication through SCEP
    I'm confused because on the one hand you state your company isn't using BES, on the other hand you quote that your RIM friend tells you that missing CBA is a BES limitation. Or perhaps what you're saying is that CBA won't work on a Z10 unless the site is running BES? That would seem to leave the Z10 at a real competitive disadvantage in non-BES shops.

    SCEP is just an easier way to distribute personal certs by allowing a device to request a certificate at the time of the initial connection attempt. I've never actually used it because I typically work with smaller organizations, but it seems to be a popular way to address the issue of trying to distribute certificates to users in a secure and organized way.

    The capability of assigning a user cert during the active sync account set up on the device is coming however no ETA not even on the road map.
    Very interesting. Samsung is already marketing their "Safe at Work" thing using traditional BB selling points before the Z10 gets released here, this omission isn't going to help BB in the corporate world unfortunately.


    I like your idea about getting an exception with my IT department to authenticate with some other means might give that a try.

    I also tried side loading the touchdown android app which used to be required to connect up certain android devices that didn't support CBA but haven't had success setting it up it doesn't see the cert on my SD card probably something to do with it being an Android app and might not have access to device storage.
    I would never expect that to work. No way is a sideloaded app from a different platform going to be a secure way of making a connection to anything, I'd eat my hat if BB allowed such an app access to the Z10's protected cert store.

    Besides the possibility of a per-device policy exception for ActiveSync on your Z10, is it even remotely feasible to use Outlook Web Access/Exchange Web Connect to access your company email temporarily? Or IMAP?
    02-25-13 09:42 PM
  17. pabs77's Avatar
    I'm confused because on the one hand you state your company isn't using BES, on the other hand you quote that your RIM friend tells you that missing CBA is a BES limitation. Or perhaps what you're saying is that CBA won't work on a Z10 unless the site is running BES?
    I am saying that CBA won't work unless you have the Z10 connect through BES10, BES10 will facilitate the certificate authentication.

    That would seem to leave the Z10 at a real competitive disadvantage in non-BES shops.
    Agreed this is a disadvantage given iOS and Andorid both support importing a user certifcate duirng the active sync set up on the device. On one hand I can see that RIM wants companies to deploy BES10 in fact when I worked at RIM I sold BES infrastucture and software CALs and associated support. This was a much higher margin business for RIM albiet a smaller portion of thier total revenue. Times have changed though with most companies especially US based companies (like the one I currently work for) seeing number of BlackBerry users diminish drastically. In this case deploying new server side infrastructure to support a small number of users is a tough proposition to make to businesses. Supporting iOS and Android does add additional value but in my companies case, which I don't think is unique, the policeis included with Activesync is good enough.

    SCEP is just an easier way to distribute personal certs by allowing a device to request a certificate at the time of the initial connection attempt. I've never actually used it because I typically work with smaller organizations, but it seems to be a popular way to address the issue of trying to distribute certificates to users in a secure and organized way.
    This is exaclty what the BES10 server will facilitate on BB10, device activates on BES10, it fetches certifcate and authenticates the connection with the device

    Very interesting. Samsung is already marketing their "Safe at Work" thing using traditional BB selling points before the Z10 gets released here, this omission isn't going to help BB in the corporate world unfortunately.
    We all know that there are numerous arguments against Android based on security but as I menitoned above Activesync and its policies become good enough for most organizations especially cost consious ones.

    I would never expect that to work. No way is a sideloaded app from a different platform going to be a secure way of making a connection to anything, I'd eat my hat if BB allowed such an app access to the Z10's protected cert store.
    Shot in the dark, it doesn't in case any other Z10 users are wondering

    Besides the possibility of a per-device policy exception for ActiveSync on your Z10, is it even remotely feasible to use Outlook Web Access/Exchange Web Connect to access your company email temporarily? Or IMAP?
    Here is where my situation is unique, my company does not use Microsoft exchange rather we use an email solution that supports using the activesync protocol. A policy exception is likely my only option and I don't beleive it will be easy to get that exception.
    02-26-13 09:32 AM
  18. Omnitech's Avatar
    Here is where my situation is unique, my company does not use Microsoft exchange rather we use an email solution that supports using the activesync protocol. A policy exception is likely my only option and I don't beleive it will be easy to get that exception.
    Do you know exactly what that platform is? Because MOST email servers today have a webmail feature, at least as an option.

    In my own case, looking to replace my own outdated email server with something new, I finally found a product that is available for free or low cost that not only is not limited to something like 5 users (I don't have a bunch of users but I do have a bunch of independent accounts for myself), it also has the ability to support Exchange ActiveSync. The product is called Axigen.

    Most of the servers out there that I'm aware of that have an EAS option also have a webmail option. Here's Microsoft's current list of licensees:

    Exchange ActiveSync Protocol and licensees

    Other products I'm familiar with that support both EAS and webmail include AtMail (@Mail), Icewarp, Imail (Ipswitch), Kerio mail server, MailEnable, SmarterMail, Zimbra.. probably several others.
    02-26-13 02:22 PM
  19. pabs77's Avatar
    My company uses Zimbra and it does have a Web mail option however it requires that you log in with an RSA token. Not the most convenient option.

    Are you suggesting accessing mail through the BB10 browser?

    Another work around which does work is setting up a VPN connection on the device and then setting up the active sync account while the VPN is connected. Downside is that with VPN connected personal email and BBM seem to stop working and getting onto the VPN still requires an RSA token.

    I failed at getting a IT exception to not use a certificate and IMAP would work according to my IT department however it would need VPN and the inconvenience of always having a hard token nearby.


    Posted via CB10
    02-26-13 02:44 PM
  20. Omnitech's Avatar
    My company uses Zimbra and it does have a Web mail option however it requires that you log in with an RSA token. Not the most convenient option.

    Are you suggesting accessing mail through the BB10 browser?

    Another work around which does work is setting up a VPN connection on the device and then setting up the active sync account while the VPN is connected. Downside is that with VPN connected personal email and BBM seem to stop working and getting onto the VPN still requires an RSA token.

    I failed at getting a IT exception to not use a certificate and IMAP would work according to my IT department however it would need VPN and the inconvenience of always having a hard token nearby.

    Well it was just a thought for a workaround.

    When you say "RSA token" you mean the keyfob thing?

    Probably the reason the other stuff doesn't work when VPN is active is just your IT department's data/firewall policies. Might even have less of a chance asking but you could ask them to poke a hole to your personal email server. I don't know what protocols/ports BBM uses.
    02-26-13 02:54 PM
  21. pabs77's Avatar
    Yea a keyfob with rolling 6 digit numbers. It seems like there will be no quick fix on this one.

    Sadly I would return this phone if I hadn't already talked over 30min on it. Kinda stuck with it now...not really such a bad thing this phone rocks its everything a BlackBerry should be outside of this one flaw.

    I really hope it gets fixed but from my inside info its not been a common complaint yet and it's not been included in a road map of feature requests internally at RIM. Given prior experience working there that means 6-12months of waiting.

    Posted via CB10
    02-26-13 03:09 PM
  22. Sith_Apprentice's Avatar
    Both public and private certs can be imported using the method above, you can also do this via WiFi and connect to the device. Make sure under storage settings that WiFi access is enabled. Take your certs (public/private) and dump them into the certificate folder. Then go into the phone, settings, certificates, and import them. Similar process to importing certificates on the PlayBook.

    CBA DOES work on both the PlayBook and BB10 devices, when importing the cert make sure you check the appropriate boxes (WiFi, Email, etc).
    03-04-13 06:35 AM
  23. Omnitech's Avatar
    Correct me if I'm wrong, but I don't think the problem is getting the cert on the device, it's getting the Exchange connection to use a designated cert when setting up the connection.

    Edit: Ah, maybe he missed the part about designating the purpose of an imported cert?

    But speaking generally, I thought the whole point of SCEP was that the process of connecting was supposed to be straightforward: server offers to download cert to device, user provides previously-provided cert password, connection uses that personal cert for link, done.
    Last edited by Omnitech; 03-04-13 at 08:21 AM. Reason: typo
    03-04-13 06:56 AM
  24. pabs77's Avatar
    Both public and private certs can be imported using the method above, you can also do this via WiFi and connect to the device. Make sure under storage settings that WiFi access is enabled. Take your certs (public/private) and dump them into the certificate folder. Then go into the phone, settings, certificates, and import them. Similar process to importing certificates on the PlayBook.

    CBA DOES work on both the PlayBook and BB10 devices, when importing the cert make sure you check the appropriate boxes (WiFi, Email, etc).
    So I have the certificate imported on the device, I selected "Personal Client" when importing the only other option was Personal Trusted CA but in this thread it says to use Personal Client. If there is a way to get this working I am open to it, I don't see a box to check for email during the import process I only see WiFi, Web and VPN (which are all checked). The cert successfully imports however there is no way to select it during the active sync account set up process. Sith_Apprentice if you no how to get this working you would be solving a problem for a lot of new Z10 owners at my company.

    Thanks,
    03-04-13 07:14 AM
  25. HARISH SOLANKI's Avatar
    Pans77

    Did you got this client cert to work with exchange active sync?
    04-08-13 03:06 PM
39 12

Similar Threads

  1. Replies: 1
    Last Post: 02-22-12, 11:54 AM
  2. Replies: 1
    Last Post: 02-22-12, 11:54 AM
  3. Which App is best for access to Wachovia Online banking?
    By nhinrichs in forum BlackBerry OS Apps
    Replies: 4
    Last Post: 04-27-09, 04:46 PM
  4. How to use email on network other than original configured for phone..?
    By andy5128 in forum General BlackBerry News, Discussion & Rumors
    Replies: 1
    Last Post: 08-26-07, 10:42 AM
LINK TO POST COPIED TO CLIPBOARD