Page 1
S/MIME Support Package for BlackBerry
Devices
User Guide Supplement
BlackBerry Pearl 8120 Smartphone
BlackBerry Pearl 8130 Smartphone
Page 2
S/MIME Support Package for BlackBerry Devices User Guide Supplement
Last modified: 20 July 2007
Document ID: 13381054-001
At the time of publication, this documentation is based on S/MIME Support Package for BlackBerry devices
Version 4.3.
Send us your comments on product documentation: https://www.blackberry.com/DocsFeedback.
Page 3
Contents
1 S/MIME Support Package for BlackBerry devices installation ......................................................................... 5
2 Certificates.................................................................................................................................................................7
3 Certificate servers ................................................................................................................................................... 17
4 S/MIME messages...................................................................................................................................................19
5 Smart cards .............................................................................................................................................................27
6 Legal notice............................................................................................................................................................. 33
Page 4
Page 5
S/MIME Support Package for BlackBerry devices installation
1
About the S/MIME Support Package for BlackBerry devices
Install the certificate synchronization tool on your computer
S/MIME Support Package for BlackBerry devices prerequisites
Install the S/MIME Support Package for BlackBerry devices on your computer
Install the S/MIME Support Package for BlackBerry
devices on your BlackBerry device
About the S/MIME Support Package
for BlackBerry devices
The S/MIME Support Package for BlackBerry® devices
is designed to permit you to send Secure Multipurpose
Internet Mail Extensions (S/MIME) messages from—
and receive S/MIME messages on—your device, if you
are already sending S/MIME messages from and
receiving S/MIME messages on your computer.
Install the certificate synchronization
tool on your computer
1. Insert the BlackBerry User Tools CD in to your CD
drive.
2. Complete the instructions on the screen.
3. In the Program Maintenance or Setup Type
window, perform one of the following actions:
• For a new installation of the BlackBerry®
Desktop Software, in the Setup Type window,
select Custom.
• If you are modifying the BlackBerry Desktop
Software installation to add the certificate
synchronization tool, in the Program
Maintenance window, select Modify.
4. Click Certificate Synchronization.
5. Select This feature, and all subfeatures, will be
installed on local hard drive.
For information about using the certificate
synchronization tool, see the
Software Online Help
BlackBerry Desktop
.
S/MIME Support Package for
BlackBerry devices prerequisites
• Verify that you have installed the BlackBerry®
Device Software on your computer. The installer
for the S/MIME Support Package for BlackBerry
devices uses components from the BlackBerry
Device Software.
• Verify that you have obtained the installer for the
S/MIME Support Package for BlackBerry devices.
Install the S/MIME Support Package
for BlackBerry devices on your
computer
1. Double-click the installer for the S/MIME Support
Package for BlackBerry® devices.
2. Complete the instructions on the screen.
Page 6
User Guide Supplement
Install the S/MIME Support Package for BlackBerry devices on your BlackBerry device
1. Connect your BlackBerry® device to your
computer.
2. On the taskbar, click Start > Programs >
BlackBerry > Desktop Manager.
3. Double-click the Application Loader icon.
4. Click Next.
5. Select the BlackBerry S/MIME Support Package
check box.
6. If you require Department of Defense (DoD) root
certificates, select the DoD Root Certificates
check box.
7. Click Next.
8. Click Finish.
Related topic
Legal notice (See page 33.)
6
Page 7
Certificates
2
About certificates
About certificate icons
Download a certificate
Filter certificates
Find certificate information
Certificate information fields
Find certificates in a chain
Check the status of a certificate or certificate chain
Set a certificate to trusted
Set a certificate to not trusted
Send a certificate to a contact
Add an email address association to a certificate
Set options for checking the status of a certificate
Use the common name when adding a certificate to
the key store
Change the display name for a certificate
Change the security level for a private key
Revoke a certificate
Revocation reasons
Delete a certificate
Add a contact when adding a certificate to the key
store
Set the service used to download certificates
Reject CRLs from unverified certificate servers
About the key store
Change the key store password
Set how long your key store password is remembered
Set how frequently the revocation status is refreshed
Do not back up or restore items in the key store
Shortcuts for filtering certificates
Shortcuts for viewing certificate information
Certificate troubleshooting
About certificates
A certificate is a digital document that binds the
identity and public key of a certificate subject. Each
certificate has an associated private key. You can
request a certificate from a Certificate Authority (CA).
The CA signs the certificate to verify that it can be
trusted.
Other people use the public key of your certificate to
encrypt email messages that they send to you and to
verify the signature on email messages that you send
to them. Your BlackBerry® device uses the private key
associated with your certificate to sign email
messages that you send and decrypt email messages
sent to you. Private key information is never publicly
available.
Related topics
About certificate icons (See page 7.)
About digital signatures and encryption (See page 19.)
About the key store (See page 13.)
About certificate icons
The following icons indicate the status of certificates
stored on your BlackBerry® device:
Page 8
User Guide Supplement
• Key: The certificate has a corresponding private
key either on your device or on a smart card.
• Check mark: The certificate chain is trusted, the
certificate chain revocation status is good, and the
certificate chain is valid.
• Question mark: The revocation status of the
certificate is unknown, or a public key in the
certificate chain is weak.
• X: The certificate chain is untrusted, revoked,
expired, not yet valid, or could not be verified.
Download a certificate
1. In the device options, click Security Options.
2. Click Certificates.
3. Press the Menu key.
4. Click Fetch Certificates.
5. Select a Lightweight Directory Access Protocol
(LDAP) server.
6. Type the certificate subject information in one or
more of the First Name, Last Name, or Email
fields.
7. Press the Menu key.
8. Click Search.
9. Click a certificate with an unchecked check box.
10. Click Add Certificate to Key Store.
11. Type your key store password.
12. Click OK.
A selected check box beside a certificate indicates that
the certificate is stored in the key store on your
BlackBerry® device.
Note:
Your device might prompt you to download the
certificate status or to type a label for the certificate.
Related topics
About the key store (See page 13.)
Set options for checking the status of a certificate (See
page 10.)
Use the common name when adding a certificate to
the key store (See page 11.)
I cannot download a certificate (See page 15.)
Filter certificates
The current filter is indicated in the upper-right corner
of the screen.
1. In the device options, click Security Options.
2. Click Certificates.
3. Press the Menu key.
4. Perform one of the following actions:
• To view all certificates on your BlackBerry®
device, click Show All Certs.
• To view only your certificates, click Show My
Certs.
• To view certificates for other people, click
Show Others Certs.
• To view Certificate Authority (CA) certificates,
click Show CA Certs.
• To view certificates for root CAs, click Show
Root Certs.
Related topic
Shortcuts for filtering certificates (See page 14.)
Find certificate information
1. In the device options, click Security Options.
2. Click Certificates.
3. Click a certificate.
Related topics
Find certificates in a chain (See page 9.)
Change the display name for a certificate (See page
11.)
8
Page 9
2: Certificates
Shortcuts for viewing certificate information (See
page 14.)
Certificate information fields
• Revocation Status: The status of the certificate at
a specified date and time.
• Trust Status: How the certificate is trusted.
• Explicitly Trusted: The certificate itself is
trusted.
• Implicitly Trusted: The certificate chains to a
certificate that is trusted on your BlackBerry®
device.
• Not Trusted: The certificate is not explicitly
trusted and does not chain to a trusted
certificate on your device.
• Expiration Date: The expiration date that is set by
the issuing Certificate Authority (CA).
• Certificate Type: The Public Key Infrastructure
(PKI) certificate format.
• Public Key Type: The standard to which the public
key complies. Your device supports Rivest Shamir
Adleman (RSA), Digital Signature Algorithm
(DSA), Diffie-Hellman (DH), and Elliptic Curve
Cryptography (ECC) keys.
• Subject: Detailed information about the
certificate subject.
• Issuer: Detailed information about the certificate
issuer.
• Serial Number: The certificate serial number in
hexidecimal format.
• Key Usage: Approved uses for the key.
• Subject Alt Name: The email address for the
certificate, if known.
• SHA1 Thumbprint: The Secure Hash Algorithm,
Version 1 (SHA1) digital thumbprint of the
certificate.
• MD5 Thumbprint: The Message-Digest
Algorithm, Version 5 (MD5) digital thumbprint of
the certificate.
Related topics
About certificates (See page 7.)
Find certificate information (See page 8.)
Find certificates in a chain
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Show Chain.
Related topic
Find certificate information (See page 8.)
Check the status of a certificate or certificate chain
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Perform one of the following actions:
• To verify the status of the certificate, click
Fetch Status.
• To verify the status of the certificate and all
other certificates in the chain, click Fetch
Chain Status.
Related topics
About the key store (See page 13.)
Download a certificate (See page 8.)
9
Page 10
User Guide Supplement
Set a certificate to trusted
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight an untrusted certificate.
4. Press the Menu key.
5. Click Trust.
6. If the certificate is not a root certificate, a prompt
appears. Perform one of the following actions:
• To trust only the highlighted certificate, click
Selected Certificate.
• To trust the entire certificate chain by trusting
the root certificate, click Entire Chain.
Related topics
About certificates (See page 7.)
About certificate icons (See page 7.)
Set a certificate to not trusted (See page 10.)
Set a certificate to not trusted
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a trusted certificate.
4. Press the Menu key.
5. Click Distrust.
Related topic
About certificates (See page 7.)
About certificate icons (See page 7.)
Send a certificate to a contact
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Send via Email or Send via PIN.
Note:
When you send a certificate, only the public key is sent
and not the private key.
Related topics
Attach a certificate to a message (See page 24.)
Import a certificate from a message (See page 21.)
Add an email address association to a certificate
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate belonging to another
person.
4. Press the Menu key.
5. Click Associate Addresses.
6. Click the trackball.
7. Click Add Address.
8. Click [Use Once].
9. Type an email address.
10. Click the trackball.
11. Press the Menu key.
12. Click Save.
To remove the associated address, click the address.
Click Delete Address.
Related topics
About the key store (See page 13.)
Filter certificates (See page 8.)
Set options for checking the status of a certificate
1. In the device options, click Security Options.
10
Page 11
2: Certificates
2. Click Certificates.
3. Press the Menu key.
4. Click Fetch Certificates.
5. Press the Menu key.
6. Click Options.
7. Perform one of the following actions:
• To always download the status of a certificate
when you add it to the key store, set the Fetch
Status field to Yes.
• To be prompted to download the status of a
certificate when you add it to the key store, set
the Fetch Status field to Prompt.
• To never download the status of a certificate
when you add it to the key store, set the Fetch
Status field to No.
8. Press the Menu key.
9. Click Save.
Related topics
About the key store (See page 13.)
Check the status of a certificate or certificate chain
(See page 9.)
8. Press the Menu key.
9. Click Save.
Related topics
Change the display name for a certificate (See page
11.)
Add a contact when adding a certificate to the key
store (See page 12.)
Change the display name for a certificate
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Change Label.
6. Type a new certificate label.
7. Click OK.
Related topic
Use the common name when adding a certificate to
the key store (See page 11.)
Use the common name when adding a certificate to the key store
The common name is the name set for the key when it
is generated. You can use the common name as a label
for the key on your BlackBerry® device or you can set
the label to one that has more meaning to you.
1. In the device options, click Security Options.
2. Click Certificates.
3. Press the Menu key.
4. Click Fetch Certificates.
5. Press the Menu key.
6. Click Options.
7. Set the Prompt for Label field to No.
Change the security level for a private key
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a personal certificate.
4. Press the Menu key.
5. Click Change Security Level.
6. To change the security level, press the Space key.
7. Click OK.
11
Page 12
User Guide Supplement
Revoke a certificate
If you revoke a certificate, the certificate is revoked
only in the key store on your BlackBerry® device and is
not communicated back to the Certificate Authority
(CA) or Certificate Revocation List (CRL) servers.
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Revoke.
6. Click Yes.
7. Press the Space key to set the Reason field to the
appropriate revocation reason.
8. Click OK.
If you set the Reason field to Certificate Hold, to
reinstate the certificate, highlight the certificate. Press
the Menu key. Click Cancel Hold.
Related topics
Revocation reasons (See page 12.)
About the key store (See page 13.)
Set a certificate to not trusted (See page 10.)
Delete a certificate (See page 12.)
Revocation reasons
• Unknown: The reason is unspecified.
• Key Compromise: A person who is not the key
subject might have discovered the private key
value.
• CA Compromise: The issuing private key of the
Certificate Authority (CA) might have been
revealed.
• Change in Affiliation: The person no longer works
for the organization.
• Superseded: A new certificate is replacing an
existing certificate.
• Cessation of Operation: The certificate is no
longer required.
• Certificate Hold: The certificate is temporarily
revoked.
• Removed from CRL: The revoked certificate is
removed from the Certificate Revocation List
(CRL).
Related topic
Revoke a certificate (See page 12.)
Delete a certificate
1. In the device options, click Security Options.
2. Click Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Delete.
Related topics
Revoke a certificate (See page 12.)
Set a certificate to not trusted (See page 10.)
Add a contact when adding a certificate to the key store
You can add new contacts from certificates to your
address book automatically when you add a certificate
to the BlackBerry® device key store.
1. In the device options, click Security Options.
2. Click Key Stores.
3. Set the Key Store Address Injector field to
Enabled.
4. Press the Menu key.
5. Click Save.
Related topic
About the key store (See page 13.)
12
Page 13
2: Certificates
Set the service used to download certificates
Verify that your system administrator has provided
you with the service record for the BlackBerry Mobile
Data System™ (BlackBerry MDS™) Connection Service
that your BlackBerry® device uses to download
certificates.
1. In the device options, click Security Options.
2. Click Key Stores.
3. Set the Certificate Service field to the correct
service record.
4. Press the Menu key.
5. Click Save.
Related topic
Download a certificate (See page 8.)
Reject CRLs from unverified certificate servers
If you reject Certificate Revocation Lists (CRLs) from
unverified certificate servers, your BlackBerry® device
will not accept certificate status results from CRLs
that cannot be verified by the BlackBerry Mobile Data
System™ (BlackBerry MDS™) Connection Service.
1. In the device options, click Security Options.
2. Click Key Stores.
3. Set the Accept Unverified CRLs field to No.
4. Press the Menu key.
5. Click Save.
Related topic
Set the service used to download certificates (See
page 13.)
About the key store
The key store on your BlackBerry® device stores the
following items:
• personal certificates (certificate and private key
pairs)
• certificates downloaded from the certificate
synchronization tool of the BlackBerry Desktop
Manager
• certificates downloaded from an Lightweight
Directory Access Protocol (LDAP) server
• certificates imported from a message
• root certificates bundled with the BlackBerry
Desktop Software
The key store is protected by a key store password.
Your device might prompt you to set the key store
password the first time that you open the key store.
You might need to type this password when adding
items to or deleting items from the key store, or when
an application tries to access your private key to sign
or decrypt a message.
Related topic
Download a certificate (See page 8.)
Change the key store password
1. In the device options, click Security Options.
2. Click Key Stores.
3. Press the Menu key.
4. Click Change Password.
Related topics
About the key store (See page 13.)
Set how long your key store password is remembered
(See page 13.)
Set how long your key store password is remembered
After a password timeout occurs, you must type your
password to access private keys.
1. In the device options, click Security Options.
13
Page 14
User Guide Supplement
2. Click Key Stores.
3. Set the Private Key Password Timeout field.
4. Press the Menu key.
5. Click Save.
Related topics
About the key store (See page 13.)
Change the key store password (See page 13.)
Set how frequently the revocation status is refreshed
When your BlackBerry® device stores a certificate
longer than the time limit specified in the Certificate
Status Expires field, your device should download a
new revocation status automatically the next time
your device uses the certificate.
1. In the device options, click Security Options.
2. Click Key Stores.
3. Set the Certificate Status Expires After field to
the length of time that a revocation status is
stored before your device considers the status to
be stale.
4. Press the Menu key.
5. Click Save.
Related topic
Check the status of a certificate or certificate chain
(See page 9.)
Do not back up or restore items in the key store
The Allow Key Store Backup/Restore field determines
whether items in the key store are backed up or
restored when your BlackBerry® device is backed up
or restored. Although the keys are encrypted on your
computer, you might want to set this field to No if you
do not want your private key backed up to your
computer for security reasons.
1. In the device options, click Security Options.
2. Click Key Stores.
3. Set the Allow Key Store Backup/Restore field to
No.
4. Press the Menu key.
5. Click Save.
Related topic
About the key store (See page 13.)
Shortcuts for filtering certificates
To view all certificates, press the Alt key and Question
Mark (?).
To view Certificate Authority (CA) certificates, press
the Alt key and 7.
To view end entity certificates (for example, personal
certificates and other people’s certificates), press the
Alt key and 3.
To view personal certificates that contain private keys,
press the Alt key and 9.
To view other people’s certificates, press the Alt key
and Period (.).
To view root certificates, press the Alt key and 1.
Shortcuts for viewing certificate information
To view the certificate label, press the Space key.
To view certificate information, press the Enter key.
14
Page 15
To view the security level of a certificate, press the Alt
key and L.
To view the serial number for a certificate, press the
Alt key and 8.
Certificate troubleshooting
I cannot download a certificate
I cannot download a certificate
If you changed the connection type that your
BlackBerry® device uses to connect to the LDAP
certificate server, try using the default connection
type.
2: Certificates
15
Page 16
User Guide Supplement
16
Page 17
Certificate servers
3
About certificate servers
Add a certificate server
LDAP certificate server options
OCSP or CRL certificate server options
Change certificate server information
Delete a certificate server
Send certificate server information to a contact
About certificate servers
Your BlackBerry® device uses Lightweight Directory
Access Protocol (LDAP) servers to search for and
download certificates.
Your device uses Online Certificate Status Protocol
(OCSP) servers to check the certificate revocation
status of a certificate on demand.
Your device uses Certificate Revocation List (CRL)
servers to check the most recently published
certificate revocation status for a certificate.
Certificate authorities (CAs) publish Certificate
revocation lists (CRLs) on CRL servers.
Related topic
Add a certificate server (See page 17.)
Add a certificate server
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Press the Menu key.
4. Click New Server.
5. Set the Server Type field.
6. Type the appropriate information for the server.
7. Press the Menu key.
8. Click Save.
Related topics
LDAP certificate server options (See page 17.)
OCSP or CRL certificate server options (See page 18.)
LDAP certificate server options
• Friendly Name: Type the common name that is
associated with the server.
• Server Name: Type the network address of the
server.
• Base Query: Type the base query information as it
is configured in your LDAP server. Content
appears in X.509 distinguished name (DN) syntax
(for example, o=test.rim.net).
• Port: Type the port number as it is configured on
your organization’s network. The default port
number is 389.
• Authentication Type: Set whether you require
authentication credentials to connect to the
server.
• Connection Type: Set whether your BlackBerry®
device uses Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) to connect to the
server.
Related topic
Add a certificate server (See page 17.)
Page 18
User Guide Supplement
OCSP or CRL certificate server
options
• Friendly Name: Type a name for the server.
• Server URL: Type the web address of the server.
Related topic
Add a certificate server (See page 17.)
Change certificate server information
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Highlight a server.
4. Press the Menu key.
5. Click Edit.
6. Change the appropriate fields.
7. Press the Menu key.
8. Click Save.
Related topics
LDAP certificate server options (See page 17.)
OCSP or CRL certificate server options (See page 18.)
Send certificate server information to a contact
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Highlight a server.
4. Press the Menu key.
5. Click Email Server or PIN Server.
Related topics
Send a certificate to a contact (See page 10.)
Attach a certificate to a message (See page 24.)
Delete a certificate server
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Highlight a server.
4. Press the Menu key.
5. Click Delete.
6. Click Yes.
Related topic
Change certificate server information (See page 18.)
18
Page 19
S/MIME messages
4
About digital signatures and encryption
About encryption icons
About signature icons
About message classifications
View the certificate used to encrypt a message
View information about weakly encrypted messages
Check the status of a certificate or certificate chain
Download a sender’s certificate
Import a certificate from a message
Import a certificate from an attachment
Import certificate server information from a message
Forward or reply to an S/MIME message
Digitally sign or encrypt an email message
Digitally sign or encrypt a PIN message
Send an S/MIME message using a different certificate
Send an S/MIME message without including a
certificate
Protect an S/MIME message in the sent items folder
View an attachment in a signed message
Search the message list
Attach a certificate to a message
Display small status icons for S/MIME messages
Select your default S/MIME signing certificate
Select your default S/MIME encryption certificate
Select encryption algorithms for S/MIME messages
Request signed receipts for S/MIME messages
Set the default security options that you use to send
messages
Set the default message classification that you use to
send messages
Turn off the prompt that appears when you use an
S/MIME certificate that is not recommended for use
Turn off the prompt that appears before a message is
truncated
S/MIME message troubleshooting
About digital signatures and
encryption
You can digitally sign a message to help the recipient
verify the authenticity and integrity of the message.
When you digitally sign a message using your private
key, the recipient uses your public key to verify that
you sent the message and not someone who was
pretending to be you, and that no one has changed the
message before it arrived.
You can encrypt a message to keep the message
confidential. When you encrypt a message, your
BlackBerry® device uses the recipient’s public key to
encrypt the message. Only the recipient’s private key
can decrypt the message and the recipient knows that
no one else read the message.
Related topics
About encryption icons (See page 20.)
About signature icons (See page 20.)
Page 20
User Guide Supplement
About encryption icons
When you open an encrypted message, a lock icon
represents the encryption status. Your system
administrator sets an IT Policy that determines
whether the encryption algorithm that the message
uses is considered to be strong or weak.
• Lock: The message is strongly encrypted.
• Lock with a question mark: The message is
weakly encrypted.
Related topic
About signature icons (See page 20.)
About signature icons
When you open a digitally signed message, a ribbon
icon represents the verification status of the digital
signature.
• Ribbon with a check mark: Your BlackBerry®
device verified the digital signature.
• Ribbon with an X: Your device could not verify the
digital signature.
• Ribbon with a question mark: Your device
requires more data to verify the digital signature.
The icon after the ribbon icon represents the status of
the certificate chain for the sender’s certificate.
• Certificate with a check mark: The certificate
chain is trusted.
• X: The sender’s certificate cannot be found on
your device, is revoked, is not trusted, or cannot be
verified, or that the sender’s email address does
not match the certificate subject email address in
the certificate.
• Question mark: Your device requires more data to
verify the trust status, the certificate is weak, or
the certificate status is considered to be stale.
• Clock: The sender’s certificate has expired.
Related topic
About encryption icons (See page 20.)
About message classifications
If your BlackBerry® device is integrated with an
account that uses BlackBerry Enterprise Server
Version 4.1.2 or later and your system administrator
turns on message classifications, the BlackBerry
Enterprise Server applies a minimum set of security
actions to each message that you compose, forward, or
reply to, based on the classification that you assign to
the message. Your system administrator configures
the set of message classifications that you can use.
If you receive a message that uses message
classifications, your can view the abbreviated
classification in the subject line of the message and
the full description of the classification in the body of
the message. The abbreviated classification and
description also appear in messages in your Sent
Items folder.
Related topic
Digitally sign or encrypt an email message (See page
22.)
View the certificate used to encrypt a message
1. In an open S/MIME message, highlight the
encryption icon.
2. Press the Menu key.
3. Click Display Encryption Certificate.
Related topic
Find certificate information (See page 8.)
20
Page 21
4: S/MIME messages
View information about weakly encrypted messages
1. In an open S/MIME message, highlight the
encryption icon.
2. Press the Menu key.
3. Click Encryption Details.
Note:
The BlackBerry® Enterprise Server might re-encrypt
messages that are sent with a weak encryption
algorithm or with a digital signature only.
Related topic
About encryption icons (See page 20.)
Check the status of a certificate or certificate chain
1. In an open S/MIME message, highlight the digital
signature or trust status icon.
2. Press the Menu key.
3. Perform one of the following actions:
• To verify the status of the sender’s certificate,
click Check Sender’s Certificate.
• To verify the status of the sender’s certificate
and all other certificates in the certificate
chain, click Check Sender’s Cert Chain.
Download a sender’s certificate
1. In an open S/MIME message, highlight the digital
signature or trust status icon.
2. Press the Menu key.
3. Click Fetch Sender’s Certificate.
Note:
The Fetch Sender’s Certificate menu item appears only
if the sender’s certificate is not included in your
BlackBerry® device key store or the sender’s message.
Related topic
Download a certificate (See page 8.)
Import a certificate from a message
1. In an open S/MIME message, highlight the digital
signature or trust status icon.
2. Press the Menu key.
3. Click Import Sender’s certificate.
4. Type your key store password.
5. Click OK.
6. Type a certificate label.
7. Click OK.
Related topics
Download a sender’s certificate (See page 21.)
Note:
The Check Sender’s Certificate and Check Sender’s
Cert Chain menu items appear only if the sender’s
certificate is included in the message or is stored in
your BlackBerry® device key store.
Related topic
Check the status of a certificate or certificate chain
(See page 9.)
Download a certificate (See page 8.)
Import a certificate from an attachment
1. In an open message, click the certificate
attachment icon.
2. Click Retrieve Certificate Attachment.
3. Click the certificate.
4. Click Import Certificate.
21
Page 22
User Guide Supplement
Related topics
Download a sender’s certificate (See page 21.)
Download a certificate (See page 8.)
Import certificate server information from a message
1. In an open S/MIME message, highlight an
S/MIME server icon.
2. Press the Menu key.
3. Click Import Server.
Related topic
Add a certificate server (See page 17.)
Forward or reply to an S/MIME message
1. In an open message, click the trackball.
2. Click Forward or Reply.
Related topic
Digitally sign or encrypt an email message (See page
22.)
I cannot see all signing or encryption options (See
page 26.)
Digitally sign or encrypt an email message
1. In an unsent message, perform one of the
following actions:
• To attach a digital signature, set the Encoding
field to Sign.
• To encrypt the message, set the Encoding
field to Encrypt.
• To attach a digital signature and encrypt the
message, set the Encoding field to Sign and
Encrypt.
2. If required, set the Classification field.
Related topics
Select your default S/MIME signing certificate (See
page 24.)
Select your default S/MIME encryption certificate
(See page 24.)
Select encryption algorithms for S/MIME messages
(See page 25.)
I cannot see all signing or encryption options (See
page 26.)
Digitally sign or encrypt a PIN message
In an unsent message, perform one of the following
actions:
• To attach a digital signature, set the Encoding
field to Sign.
• To encrypt the message, set the Encoding field to
Encrypt.
• To attach a digital signature and encrypt the
message, set the Encoding field to Sign and
Encrypt.
Note:
To send an encrypted PIN message, the recipient must
appear in your contact list with an associated personal
identification number (PIN) and email address. Your
BlackBerry® device uses the email address in your
contact list to locate a certificate for the recipient.
Related topics
Select your default S/MIME signing certificate (See
page 24.)
Select your default S/MIME encryption certificate
(See page 24.)
Select encryption algorithms for S/MIME messages
(See page 25.)
22
Page 23
4: S/MIME messages
I cannot see all signing or encryption options (See
page 26.)
Send an S/MIME message using a different certificate
1. In an unsent message, set the Encoding field to
one that uses a digital signature or encryption.
2. Press the Menu key.
3. Click Options.
4. Select a different certificate to sign or encrypt the
message.
5. Press the Menu key.
6. Click Save.
Your BlackBerry® device uses the selected certificate
only for the current message.
Related topics
Send an S/MIME message without including a
certificate (See page 23.)
Select your default S/MIME signing certificate (See
page 24.)
Select your default S/MIME encryption certificate
(See page 24.)
Send an S/MIME message without including a certificate
1. In an unsent message, set the Encoding field to
one that uses a digital signature.
2. Press the Menu key.
3. Click Options.
4. Under Signing Options, set the Include
Certificate field to No.
5. Press the Menu key.
6. Click Save.
Related topic
Send an S/MIME message using a different certificate
(See page 23.)
Protect an S/MIME message in the sent items folder
If you protect a message, when you send the message
your BlackBerry® device encrypts the message using
the recipient’s certificate but not your certificate. You
cannot read protected messages on your device.
1. In an unsent message, set the Encoding field to
one that uses encryption.
2. Press the Menu key.
3. Click Options.
4. Under Encryption Options, set the Certificate
field to None.
5. Press the Menu key.
6. Click Save.
Related topic
Digitally sign or encrypt an email message (See page
22.)
View an attachment in a signed message
In an open message, click the attachment.
Related topic
Import a certificate from an attachment (See page 21.)
Search the message list
1. In a message list, press the Menu key.
2. Click Search.
3. Set the search criteria.
4. Perform one of the following actions:
23
Page 24
User Guide Supplement
• To search only plain text and signed
messages, set the Include Encrypted
Messages field to No.
• To search plain text, signed, and encrypted
messages, set the Include Encrypted
Messages field to Yes.
5. Click the trackball.
6. Click Search.
Note:
If you set the Include Encrypted Messages field to Yes
and the security level for your private key is set to
medium or high, your BlackBerry® device might
prompt you to type your key store password before
search results appear.
Related topics
About encryption icons (See page 20.)
About signature icons (See page 20.)
Select your default S/MIME signing certificate
1. In the device options, click Security Options.
2. Click S/MIME.
3. In the Signing Options section, set the
Certificate field.
4. Press the Menu key.
5. Click Save.
Related topic
Set how long your key store password is remembered
(See page 22.)
Attach a certificate to a message
1. In an unsent message, press the Menu key.
2. Click Attach Certificates.
3. Highlight a certificate.
4. Press the Menu key.
5. Click Continue.
Related topic
Send a certificate to a contact (See page 10.)
Display small status icons for S/MIME messages
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Message Viewer Icons field to Small.
4. Press the Menu key.
5. Click Save.
Related topic
Send an S/MIME message using a different certificate
(See page 23.)
Select your default S/MIME encryption certificate
Your BlackBerry® device uses your preferred
certificate to encrypt messages in the sent items
folder and includes your preferred certificate with
Secure Multipurpose Internet Mail Extensions
(S/MIME) messages so recipients can encrypt their
responses.
1. In the device options, click Security Options.
2. Click S/MIME.
3. In the Encryption Options section, set the
Certificates field.
4. Press the Menu key.
5. Click Save.
Related topic
Send an S/MIME message using a different certificate
(See page 23.)
24
Page 25
4: S/MIME messages
Select encryption algorithms for S/MIME messages
If a message has multiple recipients, your BlackBerry®
device uses the first selected content cipher that all
recipients are known to support.
1. In the device options, click Security Options.
2. Click S/MIME.
3. Select all content ciphers that you want available
for encrypting messages.
4. Press the Menu key.
5. Click Save.
Related topic
Digitally sign or encrypt an email message (See page
22.)
Request signed receipts for S/MIME messages
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Request S/MIME Receipts field to Yes.
4. Press the Menu key.
5. Click Save.
Related topic
Digitally sign or encrypt an email message (See page
22.)
Set the default security options that you use to send messages
Your BlackBerry® device uses the default encoding for
contacts to whom you have not previously sent a
message.
1. In the device options, click Advanced Options.
2. Click Message Services.
3. Set the Default Encoding field.
4. Press the Menu key.
5. Click Save.
Related topic
About digital signatures and encryption (See page 19.)
Set the default message classification that you use to send messages
Verify that your system administrator has set up
message classifications.
Your BlackBerry® device uses the default message
classification for contacts to whom you have not
previously sent a message.
1. In the device options, click Advanced Options.
2. Click Message Services.
3. Set the Default Classification field.
4. Press the Menu key.
5. Click Save.
Related topic
About message classifications (See page 20.)
Turn off the prompt that appears when you use an S/MIME certificate that is not recommended for use
By default, a prompt appears when you try to send a
message using a certificate that is not recommended
for use (for example, a weak or expired certificate).
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Warn about problems with my
certificates field to No.
4. Press the Menu key.
5. Click Save.
25
Page 26
User Guide Supplement
To receive a prompt again, set the Warn about
problems with my certificates field to Yes.
Turn off the prompt that appears before a message is truncated
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Warn about truncated messages field to
No.
4. Press the Menu key.
5. Click Save.
To receive a prompt again, set the Warn about
truncated messages field to Yes.
S/MIME message troubleshooting
I cannot see all signing or encryption options
I cannot see all signing or encryption
options
Try performing one of the following actions:
• Verify that the current message classification
supports the signing or encryption options that
you want. Try using a different message
classification.
• Verify that your message service is configured to
support all signing and encryption options.
Related topic
About message classifications (See page 20.)
26
Page 27
Smart cards
5
About smart cards
Two-factor authentication prerequisites
Turn on two-factor authentication
Unlock your BlackBerry device when two-factor
authentication is turned on
Connect your BlackBerry device to the BlackBerry
Smart Card Reader
Import a certificate from a smart card
Set the length of time without a connection before the
BlackBerry Smart Card Reader turns off
Set the activity level of the BlackBerry Smart Card
Reader
Set the Bluetooth range for the BlackBerry Smart Card
Reader
Set when the Bluetooth connection stops
Set options to clear secure pairing information for the
BlackBerry Smart Card Reader
About smart cards
Certificates and private keys are stored on smart cards.
You can import certificates to your BlackBerry® device
key store, but private keys can be stored only on smart
cards. As a result, private key operations such as
signing and decryption use the smart card, and public
key operations such as verification and encryption use
the public certificates on your device .
Using a smart card reader, you can download
certificates from your smart card to your device, use a
smart card certificate to authenticate with your device,
and send Secure Multipurpose Internet Mail
Extensions (S/MIME) messages with your smart card
certificates.
If you use a smart card certificate to authenticate with
your device, after you connect the smart card reader to
your device, your device sends an authentication
request to the smart card each time that you unlock
your device.
Related topics
Import a certificate from a smart card (See page 28.)
Turn on two-factor authentication (See page 27.)
Two-factor authentication
prerequisites
• Verify that you have set a BlackBerry® device
password.
• Verify that you know the smart card password. You
should have received this password when you
received your smart card.
Related topic
Turn on two-factor authentication (See page 27.)
Turn on two-factor authentication
1. In the device options, click Security Options.
2. Click General Settings.
3. Set the User Authenticator field to Enabled.
4. Press the Menu key.
Page 28
User Guide Supplement
5. Click Save.
Related topics
Two-factor authentication prerequisites (See page 27.)
Unlock your BlackBerry device when two-factor
authentication is turned on (See page 28.)
Set the Bluetooth range for the BlackBerry Smart Card
Reader (See page 29.)
Unlock your BlackBerry device when two-factor authentication is turned on
Verify that you know the smart card password. You
should have received this password when you received
your smart card.
1. On your BlackBerry® device, on the Lock screen,
click the trackball.
2. Click Unlock.
3. Type your BlackBerry device password.
4. Press the Enter key.
5. Type the authentication password for the smart
card.
6. Press the Enter key.
6. Click Connect.
To disconnect your BlackBerry device from the
BlackBerry Smart Card Reader, press the Menu key.
Click Disconnect.
Related topic
Set the length of time without a connection before the
BlackBerry Smart Card Reader turns off (See page 28.)
Import a certificate from a smart card
1. In the BlackBerry® device options, click Security
Options.
2. Click S/MIME.
3. Press the Menu key.
4. Click Import Smart Card Certs.
5. Select a certificate.
6. Click OK.
7. Type your key store password.
8. Click OK.
Note:
To import a certificate, you must have a Public Key
Infrastructure (PKI) system license for the certificate.
Related topic
Turn on two-factor authentication (See page 27.)
Connect your BlackBerry device to the BlackBerry Smart Card Reader
1. In the BlackBerry® device options, click Security
Options.
2. Click Smart Card.
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. Press the Menu key.
28
Related topic
About smart cards (See page 27.)
Set the length of time without a connection before the BlackBerry Smart Card Reader turns off
Verify that you have connected your BlackBerry®
device to the BlackBerry Smart Card Reader.
You might want to set the Power Off Timeout field to a
shorter time period to save battery power.
1. In the BlackBerry device options, click Security
Options.
2. Click Smart Card.
Page 29
5: Smart cards
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. In the Reader Settings section, set the Power Off
Timeout field to specify the period of time without
a Bluetooth® connection that passes before the
BlackBerry Smart Card Reader turns off.
6. Press the Menu key.
7. Click Save.
Related topic
Set when the Bluetooth connection stops (See page
30.)
Set the activity level of the BlackBerry Smart Card Reader
Verify that you have connected your BlackBerry®
device to the BlackBerry Smart Card Reader.
Setting the BlackBerry Smart Card Reader to a higher
activity level improves the performance of operations
but uses more battery power than lower activity levels.
1. In the BlackBerry device options, click Security
Options.
2. Click Smart Card.
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. In the Reader Settings section, perform one of the
following actions:
• To set the BlackBerry Smart Card Reader to
the lowest activity level so that it is active only
when performing smart card operations such
as importing certificates, signing email
messages, or encrypting email messages, set
the Power Saving Mode field to Full.
• To set the BlackBerry Smart Card Reader to a
medium activity level so that it is active only
when connected BlackBerry devices or
computers are unlocked, select Partial.
• To set the BlackBerry Smart Card Reader to
the highest activity level so that it is always
active, select Disabled.
6. Press the Menu key.
7. Click Save.
Set the Bluetooth range for the BlackBerry Smart Card Reader
Verify that you have connected your BlackBerry®
device to the BlackBerry Smart Card Reader.
If you use two-factor authentication, you might want
to set Bluetooth® technology on the BlackBerry Smart
Card Reader to a shorter range to make sure that your
BlackBerry device locks quickly when the BlackBerry
Smart Card Reader is out of range. If you change the
Bluetooth Range field, the Bluetooth connection
closes and you must reconnect your BlackBerry device
to the BlackBerry Smart Card Reader.
1. In the BlackBerry device options, click Security
Options.
2. Click Smart Card.
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. In the Reader Settings section, set the Bluetooth
Range field to specify the range for Bluetooth
technology on the BlackBerry Smart Card Reader.
For example, to set the Bluetooth technology to
the shortest range, set the Bluetooth Range field
to 30%.
6. Press the Menu key.
7. Click Save.
29
Page 30
User Guide Supplement
Note:
The physical range for Bluetooth technology on the
BlackBerry Smart Card Reader might vary depending
on the environment in which the BlackBerry Smart
Card Reader is used.
Related topic
Set when the Bluetooth connection stops (See page
30.)
Set when the Bluetooth connection stops
Each period, your BlackBerry® device sends a signal
(heartbeat) that the BlackBerry Smart Card Reader
acknowledges. If either your BlackBerry device or the
BlackBerry Smart Card Reader misses the heartbeat or
response, the Bluetooth® connection closes.
1. In the BlackBerry device options, click Security
Options.
2. Click Smart Card.
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. In the Reader Settings section, set the
Connection Heartbeat Period field.
6. Press the Menu key.
7. Click Save.
Related topic
Set the Bluetooth range for the BlackBerry Smart Card
Reader (See page 29.)
Set options to clear secure pairing information for the BlackBerry Smart Card Reader
1. In the BlackBerry device options, click Security
Options.
2. Click Smart Card.
3. In the Registered Reader Drivers section, click
BlackBerry.
4. Click Driver Settings.
5. In the Erase Key After section, perform one or
more of the following actions:
• Set the Disconnected Timeout field to the
period of time after a Bluetooth® connection
closes that passes before your BlackBerry
device and your BlackBerry Smart Card
Reader should clear secure pairing
information.
• Set the Erase ALL keys field to specify
whether your BlackBerry device clears secure
pairing keys for paired computers when the
Disconnected Timeout occurs.
• Set the Long Term Timeout field to the period
of time that passes before your BlackBerry
device and your BlackBerry Smart Card
Reader should clear secure pairing
information.
• Set the Inactivity Timeout field to the period
of time with no secure Bluetooth traffic
between your BlackBerry device and your
BlackBerry Smart Card Reader that passes
before your BlackBerry device and your
BlackBerry Smart Card Reader should clear
secure pairing information.
• Set the Card Not Present Timeout field to the
period of time after the smart card is removed
from your BlackBerry Smart Card reader that
passes before your BlackBerry device and your
BlackBerry Smart Card Reader should clear
secure pairing information.
• Set the Number Of Transactions field to
specify the number of transactions that occur
before your BlackBerry device and your
BlackBerry Smart Card Reader should clear
secure pairing information.
6. Press the Menu key.
7. Click Save.
30
Page 31
If your BlackBerry® device and BlackBerry Smart Card
Reader clear the secure pairing information, you must
reconnect to the BlackBerry Smart Card Reader before
you can access the smart card again.
Related topics
Set the Bluetooth range for the BlackBerry Smart Card
Reader (See page 29.)
Set when the Bluetooth connection stops (See page
30.)
5: Smart cards
31
Page 32
User Guide Supplement
32
Page 33
Legal notice
6
©2007 Research In Motion Limited. All Rights
Reserved. The BlackBerry and RIM families of related
marks, images, and symbols are the exclusive
properties of Research In Motion Limited. RIM,
Research In Motion, BlackBerry, “Always On, Always
Connected” and the “envelope in motion” symbol are
registered with the U.S. Patent and Trademark Office
and may be pending or registered in other countries.
The Bluetooth work mark and logos are owned by the
Bluetooth SIG, Inc. and any use of such marks by
Research In Motion is under license. Entrust, Entrust
Entelligence, and Entrust Authority are either
registered trademarks or trademarks of Entrust, Inc. in
the United States and certain countries. Microsoft and
Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United
States and/or other countries.
All other brands, product names, company names,
trademarks and service marks are the properties of
their respective owners.
The BlackBerry device, the BlackBerry Smart Card
Reader and/or associated software are protected by
copyright, international treaties, and various patents,
including one or more of the following U.S. patents:
6,278,442; 6,271,605; 6,219,694; 6,075,470;
6,073,318; D445,428; D433,460; D416,256. Other
patents are registered or pending in various countries
around the world. Visit www.rim.com/patents for a list
of RIM [as hereinafter defined] patents.
This document is provided “as is” and Research In
Motion Limited and its affiliated companies (“RIM”)
assume no responsibility for any typographical,
technical, or other inaccuracies in this document. In
order to protect RIM proprietary and confidential
information and/or trade secrets, this document may
describe some aspects of RIM technology in
generalized terms. RIM reserves the right to
periodically change information that is contained in
this document; however, RIM makes no commitment to
provide any such changes, updates, enhancements, or
other additions to this document to you in a timely
manner or at all. RIM MAKES NO REPRESENTATIONS,
WARRANTIES, CONDITIONS, OR COVENANTS,
EITHER EXPRESS OR IMPLIED (INCLUDING
WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED
WARRANTIES OR CONDITIONS OF FITNESS FOR A
PARTICULAR PURPOSE, NON-INFRINGEMENT,
MERCHANTABILITY, DURABILITY, TITLE, OR RELATED
TO THE PERFORMANCE OR NON-PERFORMANCE
OF ANY SOFTWARE REFERENCED HEREIN OR
PERFORMANCE OF ANY SERVICES REFERENCED
HEREIN). IN CONNECTION WITH YOUR USE OF THIS
DOCUMENTATION, NEITHER RIM NOR ITS
RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR
CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY
DAMAGES WHATSOEVER BE THEY DIRECT,
ECONOMIC, COMMERCIAL, SPECIAL,
CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR
INDIRECT DAMAGES, EVEN IF RIM HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES,
INCLUDING WITHOUT LIMITATION, LOSS OF
BUSINESS REVENUE OR EARNINGS, LOST DATA,
DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A
FAILURE TO REALIZE EXPECTED SAVINGS.
This document might contain references to third-party
sources of information, hardware or software, products
or services and/or third-party web sites (collectively
the “Third-Party Information”). RIM does not control,
and is not responsible for, any Third-Party Information,
including, without limitation the content, accuracy,
copyright compliance, compatibility, performance,
Page 34
User Guide Supplement
trustworthiness, legality, decency, links, or any other
aspect of Third-Party Information. The inclusion of
Third-Party Information in this document does not
imply endorsement by RIM of the Third-Party
Information or the third-party in any way. Installation
and use of Third-Party Information with RIM's
products and services may require one or more patent,
trademark, or copyright licenses in order to avoid
infringement of the intellectual property rights of
others. Any dealings with Third-Party Information,
including, without limitation, compliance with
applicable licenses and terms and conditions, are
solely between you and the third-party. You are solely
responsible for determining whether such third-party
licenses are required and are responsible for acquiring
any such licenses relating to Third-Party Information.
To the extent that such intellectual property licenses
may be required, RIM expressly recommends that you
do not install or use Third-Party Information until all
such applicable licenses have been acquired by you or
on your behalf. Your use of Third-Party Information
shall be governed by and subject to you agreeing to
the terms of the Third-Party Information licenses. Any
Third-Party Information that is provided with RIM's
products and services is provided “as is”. RIM makes
no representation, warranty or guarantee whatsoever
in relation to the Third-Party Information and RIM
assumes no liability whatsoever in relation to the
Third-Party Information even if RIM has been advised
of the possibility of such damages or can anticipate
such damages.
Research In Motion Limited
295 Phillip Street
Waterloo, ON N2L 3W8
Canada
Published in Canada
Research In Motion UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
34
Loading...