certificate_server_name4. Click Request a certificate. 5. Click Advanced certificate request. 6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file. 7. Paste the full contents of the certreq.csr file into the Saved Request field. 8. Choose Web Server from the Certificate Template drop-down list. 9. Click Submit. 10. Click Download certificate. 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server.
Task 7 - Download the CA certificate from the certificate authority. 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name2. Click Download a CA certificate, certificate chain, or CRL. 3. Click Download CA certificate. Save it as c:\certnewCA.cer.
Task 8 - Import the CA certificate into the BlackBerry Administration Service key store. 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error keytool error: java.lang.Exception: Failed to establish chain from reply is displayed when performing Task 9 below, this step needs to be completed.
To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass ""
Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store. * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass ""
Task 10 - Restart the BlackBerry Administration Service.
If the PKI digital certificate installed on the BlackBerry Device Service server to support BAS and BWDM authentication is not a DoD PKI issued certificate, this is a finding.
Fix Text (F-BBDS-00-000325_fix)
Use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication.