S/MIME Support Package
Version 4.1
User Guide Supplement
S/MIME Support Package Version 4.1 User Guide Supplement
Last modified: 14 October 2005
Part number: SWD_X_HH(EN)-074.001
At the time of publication, this documentation is based on the S/MIME Support Package version 4.1.
Send us your comments on product documentation: https://www.blackberry.com/DocsFeedback.
©2005 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the
exclusive properties of Research In Motion Limited. RIM, Research In Motion, “Always On, Always Connected”, the “envelope in motion”
symbol, BlackBerry, BlackBerry Enterprise Server and the BlackBerry logo are registered with the U.S. Patent and Trademark Office and may be
pending or registered in other countries.
Entrust, Entelligence, and Entrust Authority are either trademarks or registered trademarks of Entrust, Inc. in the United States and certain
countries. Microsoft and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other
countries. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners.
The BlackBerry device, the BlackBerry Smart Card Reader and/or associated software are protected by copyright, international treaties and
various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428;
D433,460; D416,256. Other patents are registered or pending in various countries around the world. Visit www.rim.com/patents.shtml for a
listing of applicable RIM patents.
This document is provided “as is” and Research In Motion Limited and its affiliated companies (“RIM”) assume no responsibility for any
typographical, technical or other inaccuracies in this document. RIM reserves the right to periodically change information that is contained in
this document; however, RIM makes no commitment to provide any such changes, updates, enhancements or other additions to this document
to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR COVENANTS, EITHER EXPRESS OR
IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR
PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF
ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF
THIS DOCUMENTATION, NEITHER RIM NOR ITS RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES OR CONSULTANTS SHALL BE LIABLE TO
YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL,
EXEMPLARY OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT
LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO
REALIZE EXPECTED SAVINGS.
This document might contain references to third party sources of information, hardware or software, products or services and/or third party
web sites (collectively the “Third-Party Information”). RIM does not control, and is not responsible for, any Third-Party Information, including,
without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any
other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the
Third Party Information or the third party in any way. Installation and use of Third Party Information with RIM's products and services may
require one or more patent, trademark or copyright licenses in order to avoid infringement of the intellectual property rights of others. Any
dealings with Third Party Information, including, without limitation, compliance with applicable licenses and terms and conditions, are solely
between you and the third party. You are solely responsible for determining whether such third party licenses are required and are responsible
for acquiring any such licenses relating to Third Party Information. To the extent that such intellectual property licenses may be required, RIM
expressly recommends that you do not install or use Third Party Information until all such applicable licenses have been acquired by you or on
your behalf. Your use of Third Party Information shall be governed by and subject to you agreeing to the terms of the Third Party Information
licenses. Any Third Party Information that is provided with RIM's products and services is provided "as is". RIM makes no representation,
warranty or guarantee whatsoever in relation to the Third Party Information and RIM assumes no liability whatsoever in relation to the Third
Party Information even if RIM has been advised of the possibility of such damages or can anticipate such damages.
Research In Motion Limited
295 Phillip Street
Waterloo, ON N2L 3W8
Canada
Published in Canada
Research In Motion UK Limited
Centrum House, 36 Station Road
Egham, Surrey TW20 9LF
United Kingdom
Contents
1 S/MIME Support Package installation............................................................................................................... 7
2 BlackBerry Certificate Synchronization Manager ............................................................................................ 9
3 Certificates...............................................................................................................................................................15
4 Certificate servers ..................................................................................................................................................21
5 S/MIME messages .................................................................................................................................................23
6 Search........................................................................................................................................................................27
7 Memory cleaning....................................................................................................................................................29
8 Smart cards..............................................................................................................................................................31
9 Legal notice .............................................................................................................................................................33
S/MIME Support Package installation
1
About the S/MIME Support Package
Install the S/MIME Support Package on your desktop
computer computer
Install the S/MIME Support Package on your
BlackBerry device
About the S/MIME Support Package
Install Secure Multipurpose Internet Mail Extension
(S/MIME) support on your BlackBerry® device to
include BlackBerry device applications that are
designed to support S/MIME signing and encryption.
Use the custom setup in the BlackBerry Desktop
Software to add the Certificate Synchronization
Manager.
Install the S/MIME Support Package
on your desktop computer
Insert the BlackBerry® Desktop Software installation
CD into your CD drive. Complete the on-screen
instructions.
• In the Setup Type window, select Custom.
• In the Custom Setup window, click Certificate
Synchronization. Select This feature, and all
subfeatures, will be installed on local hard
drive.
Install the S/MIME Support Package
on your BlackBerry device
1. Verify that your BlackBerry® device is connected
to your computer.
2. On the taskbar, click Start.
3. Click Programs > BlackBerry > Desktop >
Desktop Manager.
4. Double-click the Application Loader icon.
5. Click Next.
6. Select the BlackBerry S/MIME Support Package
check box.
7. To download Department of Defence (DoD) root
certificates, select the DoD Root Certificates
check box.
8. Click Next.
9. Click Finish.
Related topics
Legal notice (See page 33.)
Related topics
Legal notice (See page 33.)
User Guide Supplement
8
BlackBerry Certificate Synchronization
Manager
2
About the BlackBerry Certificate Synchronization
Manager
Open the BlackBerry Certificate Synchronization
Manager
About certificate information icons
View certificates
View certificate information
View certificate status
Synchronize certificates
Import certificates from your company’s network
Search for a certificate on an LDAP server
Change certificate labels
Set the security level of private keys
View OCSP or CRL certificate server information
View LDAP certificate server information
Add OCSP or CRL certificate servers
Add LDAP certificate servers
Manage certificate servers
About Entrust digital IDs
Use Entrust digital IDs with the BlackBerry Certificate
Synchronization Manager
About the BlackBerry Certificate
Synchronization Manager
The BlackBerry® Certificate Synchronization Manager
is designed to enable users of supported BlackBerry
devices to obtain certificates from numerous sources,
download certificates to their BlackBerry device, and
verify the authenticity and status of certificates.
Certificate status information and certificate server
information is designed to be sent between Certificate
Authority (CA), Lightweight Directory Access Protocol
(LDAP), Online Certificate Status Protocol (OCSP), and
Certificate Revocation List (CRL) servers and the
BlackBerry Certificate Synchronization Manager on the
desktop computer, and from the desktop computer to
the BlackBerry device through the standard
synchronization process (across a serial or USB
connection).
Open the BlackBerry Certificate
Synchronization Manager
Verify that your BlackBerry® device is connected to
your computer. On the taskbar, click Start. Click
Programs > BlackBerry > Desktop > Desktop
Manager. Double-click the Certificate Sync icon.
User Guide Supplement
About certificate information icons
In the BlackBerry® Certificate Synchronization
Manager, on the Personal Certificates, Other People’s
Certificates, and Root Certificates tab, the following
icons appear:
A selected check box indicates that the
certificate is stored on the BlackBerry device.
The icons in this column provide information
about the properties of a certificate.
The certificate chain is trusted. The certificate
chain revocation status is good, and the
certificate chain is valid.
The revocation status of the certificate chain is
unknown, or a public key in the certificate chain
is weak.
The certificate chain is untrusted, revoked,
expired, not yet valid or could not be verified.
View certificates
In the BlackBerry® Certificate Synchronization
Manager, perform one of the following actions:
• To view certificates that are assigned to you, click
the Personal Certificates tab.
• To view certificates for another person that have
been validated by a root Certificate Authority and
to authenticate the identity of the person to
whom they are assigned, click the Other People’s
Certificates tab.
• To view certificates that originate from a root
Certificate Authority and are considered
trustworthy, click the Root Certificates tab.
On the server tabs, the following fields appear:
• Certificate Label: This field specifies the name of
the certificate. By default, the name of the
certificate holder is used.
• Security: This field specifies the security level of
the certificate that contains a private key. This
field only appears on the Personal Certificates tab.
• Email Address: This field specifies the email
address of the certificate holder.
• Subject: This field specifies detailed information
about the certificate holder.
• Issuer: This field specifies detailed information
about the certificate issuer.
• Serial Number: This field specifies the certificate
serial number in hexidecimal format.
• Certificate Source: This field specifies the display
name of the certificate server on which the
certificate resides or the Microsoft® Windows®
store in which the certificate was found.
View certificate information
In the BlackBerry® Certificate Synchronization
Manager, click a server tab. Right-click a certificate.
Click View Certificate.
• Serial Number: This field specifies the certificate
serial number in hexidecimal format.
• Issuer: Detailed information about the certificate
issuer.
• Valid From: This field specifies the date from
which the certificate is valid as set by the issuing
Certificate Authority.
• Valid To: This field specifies the expiration date
that is set by the issuing Certificate Authority.
• Subject: Detailed information about the
certificate holder.
• Public key: This field specifies the standard to
which the public ley complies. The BlackBerry
device supports Rivest Shamir Adleman (RSA),
Digital Signature Algorithm (DSA), and Elliptic
Curve Cryptography (ECC) keys.
• Subject Alternative Name: This field specifies the
email address for the certificate.
• Key Usage: This field specifies approved uses for
the key.
10
2: BlackBerry Certificate Synchronization Manager
• SHA1 thumbprint: This field specifies the Secure
Hash Algorithm, version 1 (SHA1) digital
thumbprint of the certificate.
• MD5 thumbprint: This field specifies the
Message-Digest Algorithm, version 5 (MD5)
digital thumbprint of the certificate.
View certificate status
In the BlackBerry® Certificate Synchronization
Manager, click a server tab. Right-click a certificate.
Click Edit Certificate Properties. Click View
Certificate. Click Certification Path.
Synchronize certificates
To synchronize certificates manually, in the
BlackBerry
a server tab. Select the check box beside a certificate.
Click Synchronize.
Note:
Selected certificates are added to the BlackBerry
device. Certificates that are not selected are removed
from the device.
To set the BlackBerry Desktop Software to synchronize
certificate information automatically, in the BlackBerry
Certificate Synchronization Manager, click Options.
Click the Desktop Preferences tab. Perform one of the
following actions:
• To specify an interval after which certificates
• To synchronize certificates each time your device
Warning:
Verify that you have a Public Key Infrastructure (PKI)
system license for the certificate that you want to
download.
® Certificate Synchronization Manager, click
should be synchronized, set the Synchronize
every field.
is connected to your computer, select the
Synchronize every time the BlackBerry device is
connected option.
Import certificates from your
company’s network
In the BlackBerry® Certificate Synchronization
Manager, click Import Certificate. Select a file. Click
Open.
Note:
You can import certificates that are packaged with
private keys and have a .pfx or .p12 file extension (for
example, personal certificates). You can import other
certificates with a .cer, .der, .crt, .p7b, .p7c, or .key file
extension.
Search for a certificate on an LDAP
server
1. In the BlackBerry® Certificate Synchronization
Manager, click the Other People’s Certificates
tab.
2. Click Find in LDAP.
3. Select one or more LDAP server(s).
4. Type certificate holder information in one or more
of the following fields: First Name, Last Name,
Email.
5. Click Search Now.
Note:
To store a certificate in the BlackBerry Certificate
Synchronization Manager, select a query result. Click
Mark for addition.
Change certificate labels
In the BlackBerry® Certificate Synchronization
Manager, click a server tab. Right-click a certificate.
Click Edit Certificate Properties. Perform one of the
following actions:
• To specify a name for the certificate, in the
Certificate Label section, type a name.
11
User Guide Supplement
• To use the common name that is associated with
the certificate, click Use Common Name.
Set the security level of private keys
In the BlackBerry® Certificate Synchronization
Manager, click a server tab. Right-click a certificate.
Click Edit Certificate Properties. In the Private Key
Security Level section, perform one of the following
actions:
• To prompt users for their key store password each
time an program attempts to access their private
key, select High.
• To prompt users for their key store password when
a program attempts to access their private key for
the first time or when their private key password
timeout is expired, select Medium.
• To display no notification when an application
attempts to access a user’s private key, select Low.
Note:
Private key security levels apply to private keys
synchronized to the BlackBerry device.
Certificate extensions can include the URL of the
Certificate Authority, OCSP responder and/or a
CRL location which the BlackBerry Certificate
Synchronization Manager uses to check certificate
status.
• Use specified servers: A selected check box
indicates that servers that are specified in the
server pane are used to check certificate status.
You must enable Use Specified Servers before you
can add and configure OCSP or CRL servers.
• Update Now: Click to download the certificate
revocation lists from the CRL servers and update
the certificate status accordingly. When you
synchronize your certificates, the certificate
revocation lists are queried for the certificates’
revocation status.
• Update the cached CRL: This parameter indicates
(in hours) how frequently the certificate
revocation lists are downloaded to the cache.
When you synchronize your certificates, the
certificate revocation lists are queried for the
certificates’ revocation status. 0 indicates that the
automatic CRL cache updates feature is disabled.
View OCSP or CRL certificate server
information
In the BlackBerry® Certificate Synchronization
Manager, click Options. Click the OCSP Servers or
CRL Servers tab.
• Friendly Name: This parameter specifies the
common name that is associated with the server.
• Use OCSP or Use CRL: A selected check box
indicates that OCSP or CRL server use is enabled.
You must enable OCSP or CRL server use before
you can configure and connect to OCSP or CRL
servers.
• Server URL: This parameter specifies the web
address URL of the server.
• Certificate Extensions: A selected check box
indicates that certificate extension use is enabled.
12
View LDAP certificate server
information
In the BlackBerry® Certificate Synchronization
Manager, click Options. Click the LDAP Servers tab.
• Friendly Name: This parameter specifies the
common name that is associated with the server.
• Server Name: This parameter specifies the name
of the server.
• Base Query: This parameter specifies query
information as it is configured in your LDAP
server. Content appears in X.509 DN syntax.
• Port: This parameter specifies the port as it is
configured on your company network.
• Crawl Server: This parameter indicates whether
the BlackBerry Certificate Synchronization
2: BlackBerry Certificate Synchronization Manager
Manager polls the LDAP server at startup and
automatically downloads all certificates found on
the LDAP server to the BlackBerry Certificate
Synchronization Manager. Yes indicates that the
crawl feature is enabled.
Warning: Crawling LDAP servers are network
intensive and can result in reduced performance.
Contact your system administrator before you
enable this feature.
• Use BlackBerry device address book contents
when searching LDAP servers: A selected check
box indicates that the BlackBerry Certificate
Synchronization Manager queries the LDAP server
to look for certificates that are assigned to people
who are listed in your BlackBerry device address
book.
Warning:
This feature is network intensive and can result in
reduced performance. Contact your system
administrator before you enable this feature.
Add OCSP or CRL certificate servers
In the BlackBerry® Certificate Synchronization
Manager, click Options. Click the OCSP Servers or
CRL Servers tab. Click Add. Perform the following
actions:
• Friendly Name: Type a name for the server.
• Server URL: Type the URL for the server.
Note:
Contact your system administrator for the name of
server.
Add LDAP certificate servers
In the BlackBerry® Certificate Synchronization
Manager, click Options. Click the LDAP Servers tab.
Click Add. Perform the following actions:
• Friendly Name: Type a name for the server.
• Server Name: Type the server name.
• Port: Type the port number of the server. The
default is 389.
• Base Query: Type the base query information.
• Auth. Type: Select Simple if you are required to
provide credentials when you attempt to connect
to an LDAP server. Select Anonymous if you can
connect to an LDAP server without providing
credentials.
• Crawl this LDAP Server: Select this check box to
poll the LDAP server to automatically download
all certificates found on the LDAP server to the
BlackBerry Certificate Synchronization Manager.
Note:
Contact your system administrator for the name, port,
base query, and authentication type of your server.
Manage certificate servers
In the BlackBerry® Certificate Synchronization
Manager, click Options. Click a server tab. Select a
server. Click one of the following menu items:
•Edit
•Delete
About Entrust digital IDs
You can use Entrust® digital IDs with the BlackBerry®
Certificate Synchronization Manager. The Entrust
desktop security store contains managed certificates
and their corresponding private keys. The BlackBerry
Desktop Software can access these keys and
certificates through Entrust Entelligence™ version 6.0
or 6.1 for synchronization to the BlackBerry device.
Before you can use Entrust digital IDs, the certification
authority administrator must configure Entrust policies
to enable PKCS#12 export of private key and
certificate information. This action is performed using
the Entrust Authority™ Security Manager
Administration tool.
13
User Guide Supplement
See appropriate Entrust documentation for
configuration information.
Use Entrust digital IDs with the
BlackBerry Certificate
Synchronization Manager
In the BlackBerry® Certificate Synchronization
Manager, click Options. On the Entrust Preferences
tab. If you are using an Entrust PKI, select the Use
Entrust check box. Locate the entrust.ini file. The
default location is C:\WINNT\system.
Note:
The first time that you use Entrust
are notified that the BlackBerry Certificate
Synchronization Manager extension is attempting to
access Entrust. Click Yes.
® Entelligence™, you
14
Certificates
3
About the key store
Fetch the status of a certificate or certificate chain
Fetch certificates
Set certificates to trusted
Set certificates to untrusted
Send certificates
Add email addresses to certificates
View certificate information
View certificate chain information
Filter certificates
Search for certificates
Add certificates
Set options for adding certificates
Edit certificate labels
Revoke certificates
Delete certificates
Change the key store password
Set key store options
Certificate shortcuts
About the key store
The key store contains your certificates, or public keys,
and private keys. In the key store, the status of
certificates is indicated by an icon.
A key icon indicates that a certificate has a
corresponding private key either on the BlackBerry®
device or on a smart card.
A check mark icon indicates that a certificate chain is
trusted, the certificate chain revocation status is good,
and the certificate chain is valid.
A question mark icon indicates that the revocation
status of a certificate is unknown, or a public key in
the certificate chain is weak.
An “X” icon indicates that a certificate chain is
untrusted, revoked, expired, not yet valid or could not
be verified.
Fetch the status of a certificate or
certificate chain
In the device options, click Security Options. Click
Certificates. Click a certificate. Click one of the
following menu items:
• Fetch Status
•Fetch Chain Status
Note:
Fetching the chain status of a certificate verifies the
status of the certificate and also all other certificates
in the chain, back to the issuing root certificate.
Related topics
About the key store (See page 15.)
Fetch certificates (See page 15.)
Fetch certificates
1. In the device options, click Security Options.
2. Click Certificates.
3. Click the trackwheel.
User Guide Supplement
4. Click Fetch Certificates.
5. Select a server.
6. Type certificate holder information in one or more
of the First Name, Last Name, or Email fields.
7. Click the trackwheel.
8. Click Search.
Note:
A selected check box beside a certificate indicates that
the certificate is fetched and stored in the key store.
Related topics
About the key store (See page 15.)
Add certificates (See page 17.)
Set certificates to trusted
1. In the device options, click Security Options.
2. Click Certificates.
3. Click an untrusted certificate.
4. Click Trust.
5. If the certificate is not a root certificate, a prompt
appears. To trust only the selected certificate, click
Selected Certificate. To trust the entire certificate
chain by trusting the root certificate, click Entire
Chain.
Related topics
About the key store (See page 15.)
Revoke certificates (See page 18.)
Send certificates (See page 16.)
Set certificates to untrusted
In the device options, click Security Options. Click
Certificates. Click a trusted certificate. Click Distrust.
Related topics
About the key store (See page 15.)
Revoke certificates (See page 18.)
Send certificates (See page 16.)
Send certificates
1. In the device options, click Security Options.
2. Click Certificates.
3. Click a certificate.
4. Click Send via Email or Send via PIN.
5. Click a contact.
6. Click Email <
Name
7. Type a message.
8. Click Send.
Note:
When you send certificates, private keys are not sent.
Related topics
Add certificate attachments to messages (See page
25.)
Import certificates (See page 24.)
>.
Contact Name
> or PIN <
Contact
Add email addresses to certificates
1. In the device options, click Security Options.
2. Click Certificates.
3. Click a certificate.
4. Click Associate Addresses.
5. Click the trackwheel.
6. Click Add Address.
7. S ele ct [Use Once].
8. Click Email.
9. Type an email address.
10. Click the trackwheel.
11 . C l i c k Continue.
16
3: Certificates
Related topic
About the key store (See page 15.)
View certificate information
In the device options, click Security Options. Click
Certificates. Click a certificate. Click Details.
• Revocation Status: This field specifies the status
of the certificate at a specified date and time.
• Trust Status
• Explicitly trusted: The certificate is trusted.
• Implicitly trusted: The certificate chains to a
certificate that is trusted on the BlackBerry®
device.
• Not trusted: The certificate is not explicitly
trusted and does not chain to a trusted
certificate on the device.
• Expiration Date: This field specifies the expiration
date that is set by the issuing Certificate
Authority.
• Serial Number: This field specifies the certificate
serial number in hexidecimal format.
Related topics
Edit certificate labels (See page 18.)
Change the key store password (See page 19.)
Filter certificates
In the device options, click Security Options. Click
Certificates. Click the trackwheel. Click one of the
following menu items:
• Show My Certs
• Show Others Certs
• Show CA Certs
• Show Root Certs
• Show All Certs
Note:
The current filter is indicated in the upper right corner
of the screen.
Related topic
Certificate shortcuts (See page 19.)
Search for certificates
1. In the certificate search program, set the Server
field.
2. Type the certificate holder information in one or
more of the following fields: First Name, Last
Name, and Email.
3. Click the trackwheel.
4. Click Search.
View certificate chain information
In the device options, click Security Options. Click a
certificate. Click Show Chain.
Note:
To expand or collapse certificate chain information,
press the Space key.
Related topic
View certificate information (See page 17.)
Related topics
Add certificates (See page 17.)
Set options for adding certificates (See page 18.)
Add certificates
1. In the certificate search program, in a search
results list, select a certificate with an unchecked
check box.
2. Click the trackwheel.
17
User Guide Supplement
3. Click Add to Certificate Key Store.
4. Type your key store password.
5. Click OK.
Related topics
Set options for adding certificates (See page 18.)
Set options for adding certificates
1. In the certificate search program, click the
trackwheel.
2. Click Options.
3. Perform the following actions:
• To fetch the certificate status automatically
when you add a certificate to the key store,
set the Fetch Status field to Yes.
• To set a label for added certificates using the
certificate common name or a custom label,
set the Prompt for Label field to Yes.
4. Click the trackwheel.
5. Click Save.
Related topics
Add certificates (See page 17.)
Fetch the status of a certificate or certificate chain
(See page 15.)
Revoke certificates
1. In the device options, click Security Options.
2. Click Certificates.
3. Click a certificate.
4. Click Revoke.
5. Click Yes.
6. Select one of the following options:
• Unknown: The reason is unspecified.
• Key Compromise: The private key value
might have been revealed.
• CA Compromise: The issuing private key of
the Certificate Authority might have been
revealed.
• Change in Affiliation: The person no longer
works in the company.
• Superseded: A new certificate is replacing an
existing certificate.
• Cessation of Operation: The certificate is no
longer required.
• Certificate Hold: The certificate is temporarily
revoked, but you can reinstate by pressing
Cancel Hold on the BlackBerry® device key
store menu.
• Removed from CRL: The revoked certificate is
removed from the Certificate Revocation List
(CRL).
Edit certificate labels
1. In the device options, click Security Options.
2. Click Certificates.
3. Click a certificate.
4. Click Change Label.
5. Type a new certificate label.
6. Click OK.
Related topic
Change the key store password (See page 19.)
18
Note:
If you revoke a certificate, the certificate is only
revoked in the key store on your device. The revocation
is not communicated back to the Certificate Authority
or CRL servers.
Related topics
About the key store (See page 15.)
Set certificates to trusted (See page 16.)
Send certificates (See page 16.)
3: Certificates
Delete certificates
In the device options, click Security Options. Click
Certificates. Click a certificate. Click Delete.
Related topic
Revoke certificates (See page 18.)
Change the key store password
1. In the device options, click Security Options.
2. Click Security Settings.
3. Click Key Stores.
4. Click the trackwheel.
5. Click Change Password.
6. Type your existing key store password.
7. Type a new key store password.
8. Type your new key store password again.
Set key store options
In the device options, click Security Options. Click
Key Stores. Set the following options:
• Allow Key Store Backup/Restore: Specify
whether you want to back up or restore
certificates, private keys, public keys and,
symmetric keys.
• Private Key Password Timeout: Set the key store
password timeout. After a password timeout
occurs, you must type your password to access
private keys.
• Key Store Address Injector: Specify whether you
want to add contacts from certificates to the
address book when certificates are added to the
BlackBerry® device key store.
• Certificate Service: Specify the service record for
the corporate BlackBerry Mobile Data Service that
is used to fetch certificates. If you are unsure
about your service record, contact your system
administrator.
• Certificate Status Expires After: Specify the
length of time that a certificate revocation status
can be stored before it is stale. If you send an S/
MIME message with a required certificate that is
stale, the device is designed to automatically
attempts to fetch an updated status for the
certificate.
• Accept unverified CRLs: Specify whether to
accept certificate status results from CRLs that
cannot be verified by the BlackBerry Mobile Data
Service.
Related topic
Change the key store password (See page 19.)
Certificate shortcuts
To display the certificate label, press the Space key.
To display certificate information, press the Enter key.
To display all certificates, press the Alt key + A.
To display the Certificate Authority certificates, press
the Alt key + C.
To display the end entity certificates (for example,
personal certificates and other people’s certificates),
press the Alt key + E.
To display the certificate label for a certificate, press
the Alt key + L.
To display personal certificates that contain private
keys, press the Alt key + P.
To display other people’s certificates, press the Alt key
+ O.
To display root certificates, press the Alt key + R.
To display the serial number for a certificate, press the
Alt key + S.
19
User Guide Supplement
20
Certificate servers
4
Add certificate servers
Manage certificate servers
Send certificate server information
Add certificate servers
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Click a server.
4. Click New Server.
5. Type server information.
6. Click the trackwheel.
7. C lick Save.
Manage certificate servers
In the device options, click Security Options. Click
Certificate Servers. Click a server. Click one of the
following menu items:
•View
•Edit
• Delete
6. Click Email <
Name
7. C lick Send.
Related topics
Send certificates (See page 16.)
Add certificate attachments to messages (See page
25.)
>.
Contact Name
> or PIN <
Contact
Send certificate server information
1. In the device options, click Security Options.
2. Click Certificate Servers.
3. Click a server.
4. Click PIN Server or Email Server.
5. Click a contact.
User Guide Supplement
22
S/MIME messages
5
About S/MIME message status icons
Open S/MIME messages
View encryption information
Verify certificate or certificate chain status
Fetch certificates
Import certificates
Import certificate servers
Forward S/MIME messages
Send S/MIME messages
Add certificate attachments to messages
Set message icon size
Set signing options
Set encryption options
Set key verification options
About S/MIME message status icons
When you open a message, message status icons
appear.
A lock icon indicates that the message is strongly
encrypted.
A lock icon with a question mark indicates that the
message is weakly encrypted.
A check mark icon indicates that the message digital
signature is verified.
An “X” icon indicates that the message digital
signature is not verified.
A question mark icon indicates that more data is
required to verify the digital signature.
Open S/MIME messages
In the messages list, open the S/MIME message.
Related topics
Import certificates (See page 24.)
Import certificate servers (See page 24.)
Fetch certificates (See page 24.)
View encryption information
In an open S/MIME message, click the encryption
icon. Perform one of the following actions:
• To view the certificate information, click Display
Encryption Certificate.
• To view the weak public key algorithm that is used
to encrypt a message, click Encryption Details.
Note:
The BlackBerry Enterprise Server® might re-encrypt
messages that are sent with a weak encryption
algorithm or a digital signature.
Verify certificate or certificate chain
status
In an open S/MIME message, click the digital
signature or trust status icon. Click Check Sender’s
Certificate or Check Sender’s Cert Chain.
Note:
The Check Sender’s Certificate and Check Sender’s
Cert Chain menu items only appear if the sender’s
certificate is included in the message or is stored in
your BlackBerry® device key store.
User Guide Supplement
Fetch certificates
In an open S/MIME message, click the digital
signature or trust status icon. Click Fetch Sender’s
Certificate.
Note:
The Fetch Sender’s Certificate menu item only appears
if the sender’s certificate is not included in your
BlackBerry® device key store or the sender’s message.
Import certificates
1. In an open S/MIME message, click the digital
signature or trust status icon.
2. Click Import Sender’s certificate.
3. Type your key store password.
4. Click OK.
5. Type a certificate label.
6. Click OK.
Note:
To import a certificate from an attachment, in an open
message, click the paper clip icon. Click Retrieve
Certificate Attachment. Click the attachment icon.
Click Import Certificate.
Related topics
Open S/MIME messages (See page 23.)
Import certificate servers
In an open S/MIME message, click an S/MIME server
icon. Click Import Server.
Note:
By default, the forwarded message uses the same
signing and encryption options as the original
message. To change these options, in the message you
are forwarding, set the Using field.
Related topic
Send S/MIME messages (See page 24.)
Send S/MIME messages
1. In the messages list, click the trackwheel.
2. Click Compose Email.
3. Type an email address.
4. Click Email <
5. Perform one of the following actions:
• To attach a digital signature, set the Using
field to Sign.
• To encrypt the message, set the Using field to
Encrypt.
• To attach a digital signature and encrypt the
message, set the Using field to Sign and
Encrypt.
6. Type a message.
7. Click the trackwheel.
8. Click Send.
Note:
To send an encrypted S/MIME PIN message, the
contacts must have a personal identification number
(PIN) and an email address that matches the
certificate that you are using to encrypt the message.
Contact Name
>.
Related topic
Manage certificate servers (See page 21.)
Forward S/MIME messages
In an open S/MIME message, click the trackwheel.
Click Forward.
24
Related topics
Set signing options (See page 25.)
Set key verification options (See page 25.)
Add email addresses to certificates (See page 16.)
5: S/MIME messages
Add certificate attachments to
messages
1. When composing a message, click the trackwheel.
2. Click Attach Certificates.
3. Click a certificate.
Related topic
Send certificates (See page 16.)
Set message icon size
1. In the device options, click Security Options.
2. Click S/MIME.
3. Perform one of the following actions:
• To display small S/MIME icons and include
brief information in messages, set the
Message Viewer Icons field to Small.
• To display large S/MIME icons and include
descriptive information in messages, set the
Message Viewer Icons field to Large.
4. Click the trackwheel.
5. Click Save.
Related topic
Open S/MIME messages (See page 23.)
5. Click the trackwheel.
6. Click Save.
Related topics
Set key verification options (See page 25.)
Send S/MIME messages (See page 24.)
Set encryption options
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Encryption Options Certificate field.
4. Set the Allowed Content Ciphers field.
5. Click the trackwheel.
6. Click Save.
Note:
To protect messages in the Sent Items folder and
prevent users from decrypting these messages, in the
Encryption Options section, set the Certificate field
to None.
Related topics
Set key verification options (See page 25.)
Send S/MIME messages (See page 24.)
Set signing options
1. In the device options, click Security Options.
2. Click S/MIME.
3. Set the Signing Options Certificate field.
4. Perform one of the following actions:
• To request a signed receipt when the message
is read, set the Request S/MIME Receipts
field to Yes.
• To make sure that a signed receipt is not
requested when the message is read, set the
Request S/MIME Receipts field to No.
Set key verification options
1. In the device options, click Security Options.
2. Click S/MIME.
3. Perform one of the following actions:
• To verify the cryptographic validity of private
and public keys before sending S/MIME
messages, set the Verify Keys Before Use
field to Yes.
• To not verify the cryptographic validity of
private and public keys before sending S/
25
User Guide Supplement
MIME messages, set the Verify Keys Before
Use field to No.
4. Click the trackwheel.
5. Click Save.
Related topics
Set encryption options (See page 25.)
Send S/MIME messages (See page 24.)
26
Search
Search for signed messages
Search for encrypted messages
Search for signed messages
1. In the search program, in the Text field, type text
to search for.
2. In the Name field, type a contact name to search
for.
3. Select the Messages check box.
4. Click the trackwheel.
5. Click Search.
Search for encrypted messages
1. In the search program, in the Text field, type text
to search for.
2. In the Name field, type a contact name to search
for.
3. Select the Messages check box.
4. Select the Encrypted Messages check box.
5. Click the trackwheel.
6. Click Search.
6
Note:
If the security level for the private key is set to medium
or high, you may be prompted to type your key store
password before search results appear.
User Guide Supplement
28
Memory cleaning
7
About memory cleaning
Set memory cleaning options
Clean memory
About memory cleaning
The memory cleaning program on the BlackBerry®
device is designed to delete sensitive content from
memory.
The device memory is designed to be cleaned
automatically when the device
• is inserted in the holster
• remains idle for a configured period of time
• synchronized with your computer
• time or time zone is changed
•is locked
Set memory cleaning options
1. In the device options, click Security Options.
2. Click Memory Cleaning.
3. Perform one or more of the following actions:
• To clean the BlackBerry® device memory
every time the device is inserted in the holster,
set the Clean When Holstered to Yes.
• To clean the device memory after the device
remains idle for a specified time period, set
the Clean When Idle to Yes. To set the time
period, set the Idle Timeout field.
•To display the Memory Cleaner icon on the
Home screen, set the Show Icon on Home
Screen field to Yes.
4. Click the trackwheel.
5. Click Save.
Related topics
About memory cleaning (See page 29.)
Clean memory (See page 29.)
Clean memory
In the device options, click Security Options. Click
Memory Cleaning. Click the trackwheel. Click Clean
Now.
Related topics
About memory cleaning (See page 29.)
Set memory cleaning options (See page 29.)
User Guide Supplement
30
Smart cards
8
About smart cards
Set a user authenticator password
Unlock the device using a smart card
Download smart card certificates
About smart cards
Certificates and private keys are stored on smart cards.
Certificates can be imported to your BlackBerry®
device key store, but private keys can only be stored
on smart cards. As a result, private key operations such
as signing and decryption are enabled on the smart
card, and public key operations such as verification
and encryption are enabled on the device using public
certificates.
You can download certificates from the smart card to
the your device using a smart card reader, set your
user authenticator passwords, and send S/MIME
messages with your smart card certificates.
Set a user authenticator password
1. Verify that your smart card is inserted in the smart
card reader.
2. In the device options, click Security Options.
3. Click General Settings.
4. Set the User Authenticator Password field to
Enabled.
5. Click Save.
6. Type a user authenticator password for the smart
card.
7. C lick OK.
Unlock the device using a smart card
After you connect the smart card reader to your
BlackBerry® device, the device sends an
authentication request to the card each time that you
unlock your device.
To unlock the device, on the Lock screen, roll the
trackwheel. Click Unlock. In the Enter Device
Password field, type your device password. In the
Enter Authenticator Password field, type your user
authenticator password.
Download smart card certificates
1. In the device options, click Security Options.
2. Click S/MIME.
3. Click the trackwheel.
4. Click Import Smart Card Certs.
5. Select a certificate.
6. Click OK.
7. Type your key store password.
8. Click OK.
Note:
To download a certificate, you must have a PKI system
license for the certificate.
User Guide Supplement
32
Legal notice
9
©2005 Research In Motion Limited. All Rights
Reserved. The BlackBerry and RIM families of related
marks, images, and symbols are the exclusive
properties of Research In Motion Limited. RIM,
Research In Motion, “Always On, Always Connected”,
the “envelope in motion” symbol, BlackBerry,
BlackBerry Enterprise Server and the BlackBerry logo
are registered with the U.S. Patent and Trademark
Office and may be pending or registered in other
countries.
Entrust, Entelligence, and Entrust Authority are either
trademarks or registered trademarks of Entrust, Inc. in
the United States and certain countries
Windows are either trademarks or registered
trademarks of Microsoft Corporation in the United
States and/or other countries.
All other brands, product names, company names,
trademarks and service marks are the properties of
their respective owners.
TThe BlackBerry device, the BlackBerry Smart Card
Reader and/or associated software are protected by
copyright, international treaties and various patents,
including one or more of the following U.S. patents:
6,278,442; 6,271,605; 6,219,694; 6,075,470;
6,073,318; D445,428; D433,460; D416,256. Other
patents are registered or pending in various countries
around the world. Visit www.rim.com/patents.shtml
for a listing of applicable RIM patents.
This document is provided “as is” and Research In
Motion Limited and its affiliated companies (“RIM”)
assume no responsibility for any typographical,
technical or other inaccuracies in this document. RIM
reserves the right to periodically change information
that is contained in this document; however, RIM
makes no commitment to provide any such changes,
.Microsoft and
updates, enhancements or other additions to this
document to you in a timely manner or at all. RIM
MAKES NO REPRESENTATIONS, WARRANTIES,
CONDITIONS OR COVENANTS, EITHER EXPRESS OR
IMPLIED (INCLUDING WITHOUT LIMITATION, ANY
EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS
OF FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, MERCHANTABILITY, DURABILITY,
TITLE, OR RELATED TO THE PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE REFERENCED
HEREIN OR PERFORMANCE OF ANY SERVICES
REFERENCED HEREIN). IN CONNECTION WITH
YOUR USE OF THIS DOCUMENTATION, NEITHER RIM
NOR ITS RESPECTIVE DIRECTORS, OFFICERS,
EMPLOYEES OR CONSULTANTS SHALL BE LIABLE TO
YOU FOR ANY DAMAGES WHATSOEVER BE THEY
DIRECT, ECONOMIC, COMMERCIAL, SPECIAL,
CONSEQUENTIAL, INCIDENTAL, EXEMPLARY OR
INDIRECT DAMAGES, EVEN IF RIM HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES,
INCLUDING WITHOUT LIMITATION, LOSS OF
BUSINESS REVENUE OR EARNINGS, LOST DATA,
DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A
FAILURE TO REALIZE EXPECTED SAVINGS.
This document might contain references to third party
sources of information, hardware or software, products
or services and/or third party web sites (collectively
the “Third-Party Information”). RIM does not control,
and is not responsible for, any Third-Party Information,
including, without limitation the content, accuracy,
copyright compliance, compatibility, performance,
trustworthiness, legality, decency, links, or any other
aspect of Third-Party Information. The inclusion of
Third-Party Information in this document does not
imply endorsement by RIM of the Third Party
Information or the third party in any way. Installation
User Guide Supplement
and use of Third Party Information with RIM's
products and services may require one or more patent,
trademark or copyright licenses in order to avoid
infringement of the intellectual property rights of
others. Any dealings with Third Party Information,
including, without limitation, compliance with
applicable licenses and terms and conditions, are
solely between you and the third party. You are solely
responsible for determining whether such third party
licenses are required and are responsible for acquiring
any such licenses relating to Third Party Information.
To the extent that such intellectual property licenses
may be required, RIM expressly recommends that you
do not install or use Third Party Information until all
such applicable licenses have been acquired by you or
on your behalf. Your use of Third Party Information
shall be governed by and subject to you agreeing to
the terms of the Third Party Information licenses. Any
Third Party Information that is provided with RIM's
products and services is provided "as is". RIM makes
no representation, warranty or guarantee whatsoever
in relation to the Third Party Information and RIM
assumes no liability whatsoever in relation to the Third
Party Information even if RIM has been advised of the
possibility of such damages or can anticipate such
damages.
34
Loading...