User manual BLACKBERRY PEARL 8120 - S-MIME SUPPORT PACKAGE FOR DEVICES USER GUIDE SUPPLEMENT

S/MIME Support Package for BlackBerry Devices User Guide Supplement BlackBerry Pearl 8120 Smartphone BlackBerry Pearl 8130 Smartphone S/MIME Support Package for BlackBerry Devices User Guide Supplement Last modified: 20 July 2007 Document ID: 13381054-001 At the time of publication, this documentation is based on S/MIME Support Package for BlackBerry devices Version 4.3. Send us your comments on product documentation: https://www.blackberry.com/DocsFeedback. Contents 1 2 3 4 5 6 S/MIME Support Package for BlackBerry devices installation ......................................................................... 5 Certificates .................................................................................................................................................................7 Certificate servers ................................................................................................................................................... 17 S/MIME messages...................................................................................................................................................19 Smart cards ............................................................................................................................................................. 27 Legal notice ............................................................................................................................................................. 33 1 S/MIME Support Package for BlackBerry devices installation About the S/MIME Support Package for BlackBerry devices Install the certificate synchronization tool on your computer S/MIME Support Package for BlackBerry devices prerequisites Install the S/MIME Support Package for BlackBerry devices on your computer Install the S/MIME Support Package for BlackBerry devices on your BlackBerry device · For a new installation of the BlackBerry® Desktop Software, in the Setup Type window, select Custom. If you are modifying the BlackBerry Desktop Software installation to add the certificate synchronization tool, in the Program Maintenance window, select Modify. · 4. Click Certificate Synchronization. 5. Select This feature, and all subfeatures, will be installed on local hard drive. For information about using the certificate synchronization tool, see the BlackBerry Desktop Software Online Help. About the S/MIME Support Package for BlackBerry devices The S/MIME Support Package for BlackBerry® devices is designed to permit you to send Secure Multipurpose Internet Mail Extensions (S/MIME) messages from-- and receive S/MIME messages on--your device, if you are already sending S/MIME messages from and receiving S/MIME messages on your computer. S/MIME Support Package for BlackBerry devices prerequisites · Verify that you have installed the BlackBerry® Device Software on your computer. The installer for the S/MIME Support Package for BlackBerry devices uses components from the BlackBerry Device Software. Verify that you have obtained the installer for the S/MIME Support Package for BlackBerry devices. Install the certificate synchronization tool on your computer 1. Insert the BlackBerry User Tools CD in to your CD drive. 2. Complete the instructions on the screen. 3. In the Program Maintenance or Setup Type window, perform one of the following actions: · Install the S/MIME Support Package for BlackBerry devices on your computer 1. Double-click the installer for the S/MIME Support Package for BlackBerry® devices. 2. Complete the instructions on the screen. User Guide Supplement Install the S/MIME Support Package for BlackBerry devices on your BlackBerry device 1. Connect your BlackBerry® device to your computer. 2. On the taskbar, click Start > Programs > BlackBerry > Desktop Manager. 3. Double-click the Application Loader icon. 4. Click Next. 5. Select the BlackBerry S/MIME Support Package check box. 6. If you require Department of Defense (DoD) root certificates, select the DoD Root Certificates check box. 7. Click Next. 8. Click Finish. Related topic Legal notice (See page 33.) 6 2 Certificates About certificates About certificate icons Download a certificate Filter certificates Find certificate information Certificate information fields Find certificates in a chain Check the status of a certificate or certificate chain Set a certificate to trusted Set a certificate to not trusted Send a certificate to a contact Add an email address association to a certificate Set options for checking the status of a certificate Use the common name when adding a certificate to the key store Change the display name for a certificate Change the security level for a private key Revoke a certificate Revocation reasons Delete a certificate Add a contact when adding a certificate to the key store Set the service used to download certificates Reject CRLs from unverified certificate servers About the key store Change the key store password Related topics About certificate icons (See page 7.) About digital signatures and encryption (See page 19.) About the key store (See page 13.) Set how long your key store password is remembered Set how frequently the revocation status is refreshed Do not back up or restore items in the key store Shortcuts for filtering certificates Shortcuts for viewing certificate information Certificate troubleshooting About certificates A certificate is a digital document that binds the identity and public key of a certificate subject. Each certificate has an associated private key. You can request a certificate from a Certificate Authority (CA). The CA signs the certificate to verify that it can be trusted. Other people use the public key of your certificate to encrypt email messages that they send to you and to verify the signature on email messages that you send to them. Your BlackBerry® device uses the private key associated with your certificate to sign email messages that you send and decrypt email messages sent to you. Private key information is never publicly available. About certificate icons The following icons indicate the status of certificates stored on your BlackBerry® device: User Guide Supplement · · Key: The certificate has a corresponding private key either on your device or on a smart card. Check mark: The certificate chain is trusted, the certificate chain revocation status is good, and the certificate chain is valid. Question mark: The revocation status of the certificate is unknown, or a public key in the certificate chain is weak. X: The certificate chain is untrusted, revoked, expired, not yet valid, or could not be verified. Set options for checking the status of a certificate (See page 10.) Use the common name when adding a certificate to the key store (See page 11.) I cannot download a certificate (See page 15.) · Filter certificates The current filter is indicated in the upper-right corner of the screen. 1. In the device options, click Security Options. 2. Click Certificates. 3. Press the Menu key. 4. Perform one of the following actions: · · · · · To view all certificates on your BlackBerry® device, click Show All Certs. To view only your certificates, click Show My Certs. To view certificates for other people, click Show Others Certs. To view Certificate Authority (CA) certificates, click Show CA Certs. To view certificates for root CAs, click Show Root Certs. · Download a certificate 1. In the device options, click Security Options. 2. Click Certificates. 3. Press the Menu key. 4. Click Fetch Certificates. 5. Select a Lightweight Directory Access Protocol (LDAP) server. 6. Type the certificate subject information in one or more of the First Name, Last Name, or Email fields. 7. Press the Menu key. 8. Click Search. 9. Click a certificate with an unchecked check box. 10. Click Add Certificate to Key Store. 11. Type your key store password. 12. Click OK. A selected check box beside a certificate indicates that the certificate is stored in the key store on your BlackBerry® device. Note: Your device might prompt you to download the certificate status or to type a label for the certificate. Related topics About the key store (See page 13.) 8 Related topic Shortcuts for filtering certificates (See page 14.) Find certificate information 1. In the device options, click Security Options. 2. Click Certificates. 3. Click a certificate. Related topics Find certificates in a chain (See page 9.) Change the display name for a certificate (See page 11.) 2: Certificates Shortcuts for viewing certificate information (See page 14.) · MD5 Thumbprint: The Message-Digest Algorithm, Version 5 (MD5) digital thumbprint of the certificate. Certificate information fields · · Revocation Status: The status of the certificate at a specified date and time. Trust Status: How the certificate is trusted. · · Explicitly Trusted: The certificate itself is trusted. Implicitly Trusted: The certificate chains to a certificate that is trusted on your BlackBerry® device. Not Trusted: The certificate is not explicitly trusted and does not chain to a trusted certificate on your device. Related topics About certificates (See page 7.) Find certificate information (See page 8.) Find certificates in a chain 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Click Show Chain. Related topic Find certificate information (See page 8.) · · · · Expiration Date: The expiration date that is set by the issuing Certificate Authority (CA). Certificate Type: The Public Key Infrastructure (PKI) certificate format. Public Key Type: The standard to which the public key complies. Your device supports Rivest Shamir Adleman (RSA), Digital Signature Algorithm (DSA), Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC) keys. Subject: Detailed information about the certificate subject. Issuer: Detailed information about the certificate issuer. Serial Number: The certificate serial number in hexidecimal format. Key Usage: Approved uses for the key. Subject Alt Name: The email address for the certificate, if known. SHA1 Thumbprint: The Secure Hash Algorithm, Version 1 (SHA1) digital thumbprint of the certificate. Check the status of a certificate or certificate chain 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Perform one of the following actions: · · To verify the status of the certificate, click Fetch Status. To verify the status of the certificate and all other certificates in the chain, click Fetch Chain Status. · · · · · · Related topics About the key store (See page 13.) Download a certificate (See page 8.) 9 User Guide Supplement Set a certificate to trusted 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight an untrusted certificate. 4. Press the Menu key. 5. Click Trust. 6. If the certificate is not a root certificate, a prompt appears. Perform one of the following actions: · · To trust only the highlighted certificate, click Selected Certificate. To trust the entire certificate chain by trusting the root certificate, click Entire Chain. 5. Click Send via Email or Send via PIN. Note: When you send a certificate, only the public key is sent and not the private key. Related topics Attach a certificate to a message (See page 24.) Import a certificate from a message (See page 21.) Add an email address association to a certificate 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate belonging to another person. 4. Press the Menu key. 5. Click Associate Addresses. 6. Click the trackball. 7. Click Add Address. 8. Click [Use Once]. 9. Type an email address. 10. Click the trackball. 11. Press the Menu key. 12. Click Save. To remove the associated address, click the address. Click Delete Address. Related topics About the key store (See page 13.) Filter certificates (See page 8.) Related topics About certificates (See page 7.) About certificate icons (See page 7.) Set a certificate to not trusted (See page 10.) Set a certificate to not trusted 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a trusted certificate. 4. Press the Menu key. 5. Click Distrust. Related topic About certificates (See page 7.) About certificate icons (See page 7.) Send a certificate to a contact 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. Set options for checking the status of a certificate 1. In the device options, click Security Options. 10 2: Certificates 2. Click Certificates. 3. Press the Menu key. 4. Click Fetch Certificates. 5. Press the Menu key. 6. Click Options. 7. Perform one of the following actions: · To always download the status of a certificate when you add it to the key store, set the Fetch Status field to Yes. To be prompted to download the status of a certificate when you add it to the key store, set the Fetch Status field to Prompt. To never download the status of a certificate when you add it to the key store, set the Fetch Status field to No. 8. Press the Menu key. 9. Click Save. Related topics Change the display name for a certificate (See page 11.) Add a contact when adding a certificate to the key store (See page 12.) · Change the display name for a certificate 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Click Change Label. 6. Type a new certificate label. 7. Click OK. Related topic Use the common name when adding a certificate to the key store (See page 11.) · 8. Press the Menu key. 9. Click Save. Related topics About the key store (See page 13.) Check the status of a certificate or certificate chain (See page 9.) Use the common name when adding a certificate to the key store The common name is the name set for the key when it is generated. You can use the common name as a label for the key on your BlackBerry® device or you can set the label to one that has more meaning to you. 1. In the device options, click Security Options. 2. Click Certificates. 3. Press the Menu key. 4. Click Fetch Certificates. 5. Press the Menu key. 6. Click Options. 7. Set the Prompt for Label field to No. Change the security level for a private key 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a personal certificate. 4. Press the Menu key. 5. Click Change Security Level. 6. To change the security level, press the Space key. 7. Click OK. 11 User Guide Supplement Revoke a certificate If you revoke a certificate, the certificate is revoked only in the key store on your BlackBerry® device and is not communicated back to the Certificate Authority (CA) or Certificate Revocation List (CRL) servers. 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Click Revoke. 6. Click Yes. 7. Press the Space key to set the Reason field to the appropriate revocation reason. 8. Click OK. If you set the Reason field to Certificate Hold, to reinstate the certificate, highlight the certificate. Press the Menu key. Click Cancel Hold. Related topics Revocation reasons (See page 12.) About the key store (See page 13.) Set a certificate to not trusted (See page 10.) Delete a certificate (See page 12.) · · · Cessation of Operation: The certificate is no longer required. Certificate Hold: The certificate is temporarily revoked. Removed from CRL: The revoked certificate is removed from the Certificate Revocation List (CRL). Related topic Revoke a certificate (See page 12.) Delete a certificate 1. In the device options, click Security Options. 2. Click Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Click Delete. Related topics Revoke a certificate (See page 12.) Set a certificate to not trusted (See page 10.) Add a contact when adding a certificate to the key store You can add new contacts from certificates to your address book automatically when you add a certificate to the BlackBerry® device key store. 1. In the device options, click Security Options. 2. Click Key Stores. 3. Set the Key Store Address Injector field to Enabled. 4. Press the Menu key. 5. Click Save. Related topic About the key store (See page 13.) Revocation reasons · · Unknown: The reason is unspecified. Key Compromise: A person who is not the key subject might have discovered the private key value. CA Compromise: The issuing private key of the Certificate Authority (CA) might have been revealed. Change in Affiliation: The person no longer works for the organization. Superseded: A new certificate is replacing an existing certificate. · · · 12 2: Certificates Set the service used to download certificates Verify that your system administrator has provided you with the service record for the BlackBerry Mobile Data SystemTM (BlackBerry MDSTM) Connection Service that your BlackBerry® device uses to download certificates. 1. In the device options, click Security Options. 2. Click Key Stores. 3. Set the Certificate Service field to the correct service record. 4. Press the Menu key. 5. Click Save. Related topic Download a certificate (See page 8.) · · personal certificates (certificate and private key pairs) certificates downloaded from the certificate synchronization tool of the BlackBerry Desktop Manager certificates downloaded from an Lightweight Directory Access Protocol (LDAP) server certificates imported from a message root certificates bundled with the BlackBerry Desktop Software · · · The key store is protected by a key store password. Your device might prompt you to set the key store password the first time that you open the key store. You might need to type this password when adding items to or deleting items from the key store, or when an application tries to access your private key to sign or decrypt a message. Related topic Download a certificate (See page 8.) Reject CRLs from unverified certificate servers If you reject Certificate Revocation Lists (CRLs) from unverified certificate servers, your BlackBerry® device will not accept certificate status results from CRLs that cannot be verified by the BlackBerry Mobile Data SystemTM (BlackBerry MDSTM) Connection Service. 1. In the device options, click Security Options. 2. Click Key Stores. 3. Set the Accept Unverified CRLs field to No. 4. Press the Menu key. 5. Click Save. Related topic Set the service used to download certificates (See page 13.) Change the key store password 1. In the device options, click Security Options. 2. Click Key Stores. 3. Press the Menu key. 4. Click Change Password. Related topics About the key store (See page 13.) Set how long your key store password is remembered (See page 13.) Set how long your key store password is remembered After a password timeout occurs, you must type your password to access private keys. 1. In the device options, click Security Options. About the key store The key store on your BlackBerry® device stores the following items: 13 User Guide Supplement 2. Click Key Stores. 3. Set the Private Key Password Timeout field. 4. Press the Menu key. 5. Click Save. Related topics About the key store (See page 13.) Change the key store password (See page 13.) Do not back up or restore items in the key store The Allow Key Store Backup/Restore field determines whether items in the key store are backed up or restored when your BlackBerry® device is backed up or restored. Although the keys are encrypted on your computer, you might want to set this field to No if you do not want your private key backed up to your computer for security reasons. 1. In the device options, click Security Options. 2. Click Key Stores. 3. Set the Allow Key Store Backup/Restore field to No. 4. Press the Menu key. 5. Click Save. Related topic About the key store (See page 13.) Set how frequently the revocation status is refreshed When your BlackBerry® device stores a certificate longer than the time limit specified in the Certificate Status Expires field, your device should download a new revocation status automatically the next time your device uses the certificate. 1. In the device options, click Security Options. 2. Click Key Stores. 3. Set the Certificate Status Expires After field to the length of time that a revocation status is stored before your device considers the status to be stale. 4. Press the Menu key. 5. Click Save. Related topic Check the status of a certificate or certificate chain (See page 9.) Shortcuts for filtering certificates To view all certificates, press the Alt key and Question Mark (?). To view Certificate Authority (CA) certificates, press the Alt key and 7. To view end entity certificates (for example, personal certificates and other people's certificates), press the Alt key and 3. To view personal certificates that contain private keys, press the Alt key and 9. To view other people's certificates, press the Alt key and Period (.). To view root certificates, press the Alt key and 1. Shortcuts for viewing certificate information To view the certificate label, press the Space key. To view certificate information, press the Enter key. 14 2: Certificates To view the security level of a certificate, press the Alt key and L. To view the serial number for a certificate, press the Alt key and 8. Certificate troubleshooting I cannot download a certificate I cannot download a certificate If you changed the connection type that your BlackBerry® device uses to connect to the LDAP certificate server, try using the default connection type. 15 User Guide Supplement 16 3 Certificate servers About certificate servers Add a certificate server LDAP certificate server options OCSP or CRL certificate server options Change certificate server information Delete a certificate server Send certificate server information to a contact 6. Type the appropriate information for the server. 7. Press the Menu key. 8. Click Save. Related topics LDAP certificate server options (See page 17.) OCSP or CRL certificate server options (See page 18.) LDAP certificate server options About certificate servers Your BlackBerry® device uses Lightweight Directory Access Protocol (LDAP) servers to search for and download certificates. Your device uses Online Certificate Status Protocol (OCSP) servers to check the certificate revocation status of a certificate on demand. Your device uses Certificate Revocation List (CRL) servers to check the most recently published certificate revocation status for a certificate. Certificate authorities (CAs) publish Certificate revocation lists (CRLs) on CRL servers. Related topic Add a certificate server (See page 17.) · · · · Friendly Name: Type the common name that is associated with the server. Server Name: Type the network address of the server. Base Query: Type the base query information as it is configured in your LDAP server. Content appears in X.509 distinguished name (DN) syntax (for example, o=test.rim.net). Port: Type the port number as it is configured on your organization's network. The default port number is 389. Authentication Type: Set whether you require authentication credentials to connect to the server. Connection Type: Set whether your BlackBerry® device uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to connect to the server. · · Add a certificate server 1. In the device options, click Security Options. 2. Click Certificate Servers. 3. Press the Menu key. 4. Click New Server. 5. Set the Server Type field. Related topic Add a certificate server (See page 17.) User Guide Supplement OCSP or CRL certificate server options · · Friendly Name: Type a name for the server. Server URL: Type the web address of the server. Send certificate server information to a contact 1. In the device options, click Security Options. 2. Click Certificate Servers. 3. Highlight a server. 4. Press the Menu key. 5. Click Email Server or PIN Server. Related topic Add a certificate server (See page 17.) Change certificate server information 1. In the device options, click Security Options. 2. Click Certificate Servers. 3. Highlight a server. 4. Press the Menu key. 5. Click Edit. 6. Change the appropriate fields. 7. Press the Menu key. 8. Click Save. Related topics LDAP certificate server options (See page 17.) OCSP or CRL certificate server options (See page 18.) Related topics Send a certificate to a contact (See page 10.) Attach a certificate to a message (See page 24.) Delete a certificate server 1. In the device options, click Security Options. 2. Click Certificate Servers. 3. Highlight a server. 4. Press the Menu key. 5. Click Delete. 6. Click Yes. Related topic Change certificate server information (See page 18.) 18 4 S/MIME messages About digital signatures and encryption About encryption icons About signature icons About message classifications View the certificate used to encrypt a message View information about weakly encrypted messages Check the status of a certificate or certificate chain Download a sender's certificate Import a certificate from a message Import a certificate from an attachment Import certificate server information from a message Forward or reply to an S/MIME message Digitally sign or encrypt an email message Digitally sign or encrypt a PIN message Send an S/MIME message using a different certificate Send an S/MIME message without including a certificate Protect an S/MIME message in the sent items folder View an attachment in a signed message Search the message list Attach a certificate to a message Display small status icons for S/MIME messages Select your default S/MIME signing certificate Select your default S/MIME encryption certificate Select encryption algorithms for S/MIME messages Request signed receipts for S/MIME messages Related topics About encryption icons (See page 20.) About signature icons (See page 20.) Set the default security options that you use to send messages Set the default message classification that you use to send messages Turn off the prompt that appears when you use an S/MIME certificate that is not recommended for use Turn off the prompt that appears before a message is truncated S/MIME message troubleshooting About digital signatures and encryption You can digitally sign a message to help the recipient verify the authenticity and integrity of the message. When you digitally sign a message using your private key, the recipient uses your public key to verify that you sent the message and not someone who was pretending to be you, and that no one has changed the message before it arrived. You can encrypt a message to keep the message confidential. When you encrypt a message, your BlackBerry® device uses the recipient's public key to encrypt the message. Only the recipient's private key can decrypt the message and the recipient knows that no one else read the message. User Guide Supplement About encryption icons When you open an encrypted message, a lock icon represents the encryption status. Your system administrator sets an IT Policy that determines whether the encryption algorithm that the message uses is considered to be strong or weak. · · Lock: The message is strongly encrypted. Lock with a question mark: The message is weakly encrypted. Related topic About encryption icons (See page 20.) About message classifications If your BlackBerry® device is integrated with an account that uses BlackBerry Enterprise Server Version 4.1.2 or later and your system administrator turns on message classifications, the BlackBerry Enterprise Server applies a minimum set of security actions to each message that you compose, forward, or reply to, based on the classification that you assign to the message. Your system administrator configures the set of message classifications that you can use. If you receive a message that uses message classifications, your can view the abbreviated classification in the subject line of the message and the full description of the classification in the body of the message. The abbreviated classification and description also appear in messages in your Sent Items folder. Related topic Digitally sign or encrypt an email message (See page 22.) Related topic About signature icons (See page 20.) About signature icons When you open a digitally signed message, a ribbon icon represents the verification status of the digital signature. · · · Ribbon with a check mark: Your BlackBerry® device verified the digital signature. Ribbon with an X: Your device could not verify the digital signature. Ribbon with a question mark: Your device requires more data to verify the digital signature. The icon after the ribbon icon represents the status of the certificate chain for the sender's certificate. · · Certificate with a check mark: The certificate chain is trusted. X: The sender's certificate cannot be found on your device, is revoked, is not trusted, or cannot be verified, or that the sender's email address does not match the certificate subject email address in the certificate. Question mark: Your device requires more data to verify the trust status, the certificate is weak, or the certificate status is considered to be stale. Clock: The sender's certificate has expired. View the certificate used to encrypt a message 1. In an open S/MIME message, highlight the encryption icon. 2. Press the Menu key. 3. Click Display Encryption Certificate. Related topic Find certificate information (See page 8.) · · 20 4: S/MIME messages View information about weakly encrypted messages 1. In an open S/MIME message, highlight the encryption icon. 2. Press the Menu key. 3. Click Encryption Details. Note: The BlackBerry® Enterprise Server might re-encrypt messages that are sent with a weak encryption algorithm or with a digital signature only. Related topic About encryption icons (See page 20.) Download a sender's certificate 1. In an open S/MIME message, highlight the digital signature or trust status icon. 2. Press the Menu key. 3. Click Fetch Sender's Certificate. Note: The Fetch Sender's Certificate menu item appears only if the sender's certificate is not included in your BlackBerry® device key store or the sender's message. Related topic Download a certificate (See page 8.) Import a certificate from a message Check the status of a certificate or certificate chain 1. In an open S/MIME message, highlight the digital signature or trust status icon. 2. Press the Menu key. 3. Perform one of the following actions: · · To verify the status of the sender's certificate, click Check Sender's Certificate. To verify the status of the sender's certificate and all other certificates in the certificate chain, click Check Sender's Cert Chain. 1. In an open S/MIME message, highlight the digital signature or trust status icon. 2. Press the Menu key. 3. Click Import Sender's certificate. 4. Type your key store password. 5. Click OK. 6. Type a certificate label. 7. Click OK. Related topics Download a sender's certificate (See page 21.) Download a certificate (See page 8.) Note: The Check Sender's Certificate and Check Sender's Cert Chain menu items appear only if the sender's certificate is included in the message or is stored in your BlackBerry® device key store. Related topic Check the status of a certificate or certificate chain (See page 9.) Import a certificate from an attachment 1. In an open message, click the certificate attachment icon. 2. Click Retrieve Certificate Attachment. 3. Click the certificate. 4. Click Import Certificate. 21 User Guide Supplement Related topics Download a sender's certificate (See page 21.) Download a certificate (See page 8.) 2. If required, set the Classification field. Related topics Select your default S/MIME signing certificate (See page 24.) Select your default S/MIME encryption certificate (See page 24.) Select encryption algorithms for S/MIME messages (See page 25.) I cannot see all signing or encryption options (See page 26.) Import certificate server information from a message 1. In an open S/MIME message, highlight an S/MIME server icon. 2. Press the Menu key. 3. Click Import Server. Related topic Add a certificate server (See page 17.) Digitally sign or encrypt a PIN message In an unsent message, perform one of the following actions: · · · To attach a digital signature, set the Encoding field to Sign. To encrypt the message, set the Encoding field to Encrypt. To attach a digital signature and encrypt the message, set the Encoding field to Sign and Encrypt. Forward or reply to an S/MIME message 1. In an open message, click the trackball. 2. Click Forward or Reply. Related topic Digitally sign or encrypt an email message (See page 22.) I cannot see all signing or encryption options (See page 26.) Digitally sign or encrypt an email message 1. In an unsent message, perform one of the following actions: · · · To attach a digital signature, set the Encoding field to Sign. To encrypt the message, set the Encoding field to Encrypt. To attach a digital signature and encrypt the message, set the Encoding field to Sign and Encrypt. Note: To send an encrypted PIN message, the recipient must appear in your contact list with an associated personal identification number (PIN) and email address. Your BlackBerry® device uses the email address in your contact list to locate a certificate for the recipient. Related topics Select your default S/MIME signing certificate (See page 24.) Select your default S/MIME encryption certificate (See page 24.) Select encryption algorithms for S/MIME messages (See page 25.) 22 4: S/MIME messages I cannot see all signing or encryption options (See page 26.) Related topic Send an S/MIME message using a different certificate (See page 23.) Send an S/MIME message using a different certificate 1. In an unsent message, set the Encoding field to one that uses a digital signature or encryption. 2. Press the Menu key. 3. Click Options. 4. Select a different certificate to sign or encrypt the message. 5. Press the Menu key. 6. Click Save. Your BlackBerry® device uses the selected certificate only for the current message. Related topics Send an S/MIME message without including a certificate (See page 23.) Select your default S/MIME signing certificate (See page 24.) Select your default S/MIME encryption certificate (See page 24.) Protect an S/MIME message in the sent items folder If you protect a message, when you send the message your BlackBerry® device encrypts the message using the recipient's certificate but not your certificate. You cannot read protected messages on your device. 1. In an unsent message, set the Encoding field to one that uses encryption. 2. Press the Menu key. 3. Click Options. 4. Under Encryption Options, set the Certificate field to None. 5. Press the Menu key. 6. Click Save. Related topic Digitally sign or encrypt an email message (See page 22.) Send an S/MIME message without including a certificate 1. In an unsent message, set the Encoding field to one that uses a digital signature. 2. Press the Menu key. 3. Click Options. 4. Under Signing Options, set the Include Certificate field to No. 5. Press the Menu key. 6. Click Save. View an attachment in a signed message In an open message, click the attachment. Related topic Import a certificate from an attachment (See page 21.) Search the message list 1. In a message list, press the Menu key. 2. Click Search. 3. Set the search criteria. 4. Perform one of the following actions: 23 User Guide Supplement · To search only plain text and signed messages, set the Include Encrypted Messages field to No. To search plain text, signed, and encrypted messages, set the Include Encrypted Messages field to Yes. Related topics About encryption icons (See page 20.) About signature icons (See page 20.) · 5. Click the trackball. 6. Click Search. Note: If you set the Include Encrypted Messages field to Yes and the security level for your private key is set to medium or high, your BlackBerry® device might prompt you to type your key store password before search results appear. Related topic Set how long your key store password is remembered (See page 22.) Select your default S/MIME signing certificate 1. In the device options, click Security Options. 2. Click S/MIME. 3. In the Signing Options section, set the Certificate field. 4. Press the Menu key. 5. Click Save. Related topic Send an S/MIME message using a different certificate (See page 23.) Attach a certificate to a message 1. In an unsent message, press the Menu key. 2. Click Attach Certificates. 3. Highlight a certificate. 4. Press the Menu key. 5. Click Continue. Related topic Send a certificate to a contact (See page 10.) Select your default S/MIME encryption certificate Your BlackBerry® device uses your preferred certificate to encrypt messages in the sent items folder and includes your preferred certificate with Secure Multipurpose Internet Mail Extensions (S/MIME) messages so recipients can encrypt their responses. 1. In the device options, click Security Options. 2. Click S/MIME. 3. In the Encryption Options section, set the Certificates field. 4. Press the Menu key. 5. Click Save. Related topic Send an S/MIME message using a different certificate (See page 23.) Display small status icons for S/MIME messages 1. In the device options, click Security Options. 2. Click S/MIME. 3. Set the Message Viewer Icons field to Small. 4. Press the Menu key. 5. Click Save. 24 4: S/MIME messages Select encryption algorithms for S/MIME messages If a message has multiple recipients, your BlackBerry® device uses the first selected content cipher that all recipients are known to support. 1. In the device options, click Security Options. 2. Click S/MIME. 3. Select all content ciphers that you want available for encrypting messages. 4. Press the Menu key. 5. Click Save. Related topic Digitally sign or encrypt an email message (See page 22.) 4. Press the Menu key. 5. Click Save. Related topic About digital signatures and encryption (See page 19.) Set the default message classification that you use to send messages Verify that your system administrator has set up message classifications. Your BlackBerry® device uses the default message classification for contacts to whom you have not previously sent a message. 1. In the device options, click Advanced Options. 2. Click Message Services. Request signed receipts for S/MIME messages 1. In the device options, click Security Options. 2. Click S/MIME. 3. Set the Request S/MIME Receipts field to Yes. 4. Press the Menu key. 5. Click Save. Related topic Digitally sign or encrypt an email message (See page 22.) 3. Set the Default Classification field. 4. Press the Menu key. 5. Click Save. Related topic About message classifications (See page 20.) Turn off the prompt that appears when you use an S/MIME certificate that is not recommended for use By default, a prompt appears when you try to send a message using a certificate that is not recommended for use (for example, a weak or expired certificate). 1. In the device options, click Security Options. 2. Click S/MIME. 3. Set the Warn about problems with my certificates field to No. 4. Press the Menu key. 5. Click Save. Set the default security options that you use to send messages Your BlackBerry® device uses the default encoding for contacts to whom you have not previously sent a message. 1. In the device options, click Advanced Options. 2. Click Message Services. 3. Set the Default Encoding field. 25 User Guide Supplement To receive a prompt again, set the Warn about problems with my certificates field to Yes. Turn off the prompt that appears before a message is truncated 1. In the device options, click Security Options. 2. Click S/MIME. 3. Set the Warn about truncated messages field to No. 4. Press the Menu key. 5. Click Save. To receive a prompt again, set the Warn about truncated messages field to Yes. S/MIME message troubleshooting I cannot see all signing or encryption options I cannot see all signing or encryption options Try performing one of the following actions: · Verify that the current message classification supports the signing or encryption options that you want. Try using a different message classification. Verify that your message service is configured to support all signing and encryption options. · Related topic About message classifications (See page 20.) 26 5 Smart cards About smart cards Two-factor authentication prerequisites Turn on two-factor authentication Unlock your BlackBerry device when two-factor authentication is turned on Connect your BlackBerry device to the BlackBerry Smart Card Reader Import a certificate from a smart card Set the length of time without a connection before the BlackBerry Smart Card Reader turns off Set the activity level of the BlackBerry Smart Card Reader Set the Bluetooth range for the BlackBerry Smart Card Reader Set when the Bluetooth connection stops Set options to clear secure pairing information for the BlackBerry Smart Card Reader Using a smart card reader, you can download certificates from your smart card to your device, use a smart card certificate to authenticate with your device, and send Secure Multipurpose Internet Mail Extensions (S/MIME) messages with your smart card certificates. If you use a smart card certificate to authenticate with your device, after you connect the smart card reader to your device, your device sends an authentication request to the smart card each time that you unlock your device. Related topics Import a certificate from a smart card (See page 28.) Turn on two-factor authentication (See page 27.) Two-factor authentication prerequisites · · Verify that you have set a BlackBerry® device password. Verify that you know the smart card password. You should have received this password when you received your smart card. About smart cards Certificates and private keys are stored on smart cards. You can import certificates to your BlackBerry® device key store, but private keys can be stored only on smart cards. As a result, private key operations such as signing and decryption use the smart card, and public key operations such as verification and encryption use the public certificates on your device . Related topic Turn on two-factor authentication (See page 27.) Turn on two-factor authentication 1. In the device options, click Security Options. 2. Click General Settings. 3. Set the User Authenticator field to Enabled. 4. Press the Menu key. User Guide Supplement 5. Click Save. Related topics Two-factor authentication prerequisites (See page 27.) Unlock your BlackBerry device when two-factor authentication is turned on (See page 28.) Set the Bluetooth range for the BlackBerry Smart Card Reader (See page 29.) 6. Click Connect. To disconnect your BlackBerry device from the BlackBerry Smart Card Reader, press the Menu key. Click Disconnect. Related topic Set the length of time without a connection before the BlackBerry Smart Card Reader turns off (See page 28.) Unlock your BlackBerry device when two-factor authentication is turned on Verify that you know the smart card password. You should have received this password when you received your smart card. 1. On your BlackBerry® device, on the Lock screen, click the trackball. Import a certificate from a smart card 1. In the BlackBerry® device options, click Security Options. 2. Click S/MIME. 3. Press the Menu key. 4. Click Import Smart Card Certs. 5. Select a certificate. 6. Click OK. 7. Type your key store password. 8. Click OK. Note: To import a certificate, you must have a Public Key Infrastructure (PKI) system license for the certificate. Related topic About smart cards (See page 27.) 2. Click Unlock. 3. Type your BlackBerry device password. 4. Press the Enter key. 5. Type the authentication password for the smart card. 6. Press the Enter key. Related topic Turn on two-factor authentication (See page 27.) Connect your BlackBerry device to the BlackBerry Smart Card Reader 1. In the BlackBerry® device options, click Security Options. 2. Click Smart Card. 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. Press the Menu key. Set the length of time without a connection before the BlackBerry Smart Card Reader turns off Verify that you have connected your BlackBerry® device to the BlackBerry Smart Card Reader. You might want to set the Power Off Timeout field to a shorter time period to save battery power. 1. In the BlackBerry device options, click Security Options. 2. Click Smart Card. 28 5: Smart cards 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. In the Reader Settings section, set the Power Off Timeout field to specify the period of time without a Bluetooth® connection that passes before the BlackBerry Smart Card Reader turns off. 6. Press the Menu key. 7. Click Save. Related topic Set when the Bluetooth connection stops (See page 30.) · when connected BlackBerry devices or computers are unlocked, select Partial. To set the BlackBerry Smart Card Reader to the highest activity level so that it is always active, select Disabled. 6. Press the Menu key. 7. Click Save. Set the Bluetooth range for the BlackBerry Smart Card Reader Verify that you have connected your BlackBerry® device to the BlackBerry Smart Card Reader. If you use two-factor authentication, you might want to set Bluetooth® technology on the BlackBerry Smart Card Reader to a shorter range to make sure that your BlackBerry device locks quickly when the BlackBerry Smart Card Reader is out of range. If you change the Bluetooth Range field, the Bluetooth connection closes and you must reconnect your BlackBerry device to the BlackBerry Smart Card Reader. 1. In the BlackBerry device options, click Security Options. Set the activity level of the BlackBerry Smart Card Reader Verify that you have connected your BlackBerry® device to the BlackBerry Smart Card Reader. Setting the BlackBerry Smart Card Reader to a higher activity level improves the performance of operations but uses more battery power than lower activity levels. 1. In the BlackBerry device options, click Security Options. 2. Click Smart Card. 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. In the Reader Settings section, set the Bluetooth Range field to specify the range for Bluetooth technology on the BlackBerry Smart Card Reader. For example, to set the Bluetooth technology to the shortest range, set the Bluetooth Range field to 30%. 6. Press the Menu key. 7. Click Save. 2. Click Smart Card. 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. In the Reader Settings section, perform one of the following actions: · To set the BlackBerry Smart Card Reader to the lowest activity level so that it is active only when performing smart card operations such as importing certificates, signing email messages, or encrypting email messages, set the Power Saving Mode field to Full. To set the BlackBerry Smart Card Reader to a medium activity level so that it is active only · 29 User Guide Supplement Note: The physical range for Bluetooth technology on the BlackBerry Smart Card Reader might vary depending on the environment in which the BlackBerry Smart Card Reader is used. Related topic Set when the Bluetooth connection stops (See page 30.) 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. In the Erase Key After section, perform one or more of the following actions: · Set the Disconnected Timeout field to the period of time after a Bluetooth® connection closes that passes before your BlackBerry device and your BlackBerry Smart Card Reader should clear secure pairing information. Set the Erase ALL keys field to specify whether your BlackBerry device clears secure pairing keys for paired computers when the Disconnected Timeout occurs. Set the Long Term Timeout field to the period of time that passes before your BlackBerry device and your BlackBerry Smart Card Reader should clear secure pairing information. Set the Inactivity Timeout field to the period of time with no secure Bluetooth traffic between your BlackBerry device and your BlackBerry Smart Card Reader that passes before your BlackBerry device and your BlackBerry Smart Card Reader should clear secure pairing information. Set the Card Not Present Timeout field to the period of time after the smart card is removed from your BlackBerry Smart Card reader that passes before your BlackBerry device and your BlackBerry Smart Card Reader should clear secure pairing information. Set the Number Of Transactions field to specify the number of transactions that occur before your BlackBerry device and your BlackBerry Smart Card Reader should clear secure pairing information. Set when the Bluetooth connection stops Each period, your BlackBerry® device sends a signal (heartbeat) that the BlackBerry Smart Card Reader acknowledges. If either your BlackBerry device or the BlackBerry Smart Card Reader misses the heartbeat or response, the Bluetooth® connection closes. 1. In the BlackBerry device options, click Security Options. · · 2. Click Smart Card. 3. In the Registered Reader Drivers section, click BlackBerry. 4. Click Driver Settings. 5. In the Reader Settings section, set the Connection Heartbeat Period field. 6. Press the Menu key. 7. Click Save. Related topic Set the Bluetooth range for the BlackBerry Smart Card Reader (See page 29.) · · · Set options to clear secure pairing information for the BlackBerry Smart Card Reader 1. In the BlackBerry device options, click Security Options. 2. Click Smart Card. 30 6. Press the Menu key. 7. Click Save. 5: Smart cards If your BlackBerry® device and BlackBerry Smart Card Reader clear the secure pairing information, you must reconnect to the BlackBerry Smart Card Reader before you can access the smart card again. Related topics Set the Bluetooth range for the BlackBerry Smart Card Reader (See page 29.) Set when the Bluetooth connection stops (See page 30.) 31 User Guide Supplement 32 6 Legal notice ©2007 Research In Motion Limited. All Rights Reserved. The BlackBerry and RIM families of related marks, images, and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, BlackBerry, "Always On, Always Connected" and the "envelope in motion" symbol are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. The Bluetooth work mark and logos are owned by the Bluetooth SIG, Inc. and any use of such marks by Research In Motion is under license. Entrust, Entrust Entelligence, and Entrust Authority are either registered trademarks or trademarks of Entrust, Inc. in the United States and certain countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners. The BlackBerry device, the BlackBerry Smart Card Reader and/or associated software are protected by copyright, international treaties, and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in various countries around the world. Visit www.rim.com/patents for a list of RIM [as hereinafter defined] patents. This document is provided "as is" and Research In Motion Limited and its affiliated companies ("RIM") assume no responsibility for any typographical, technical, or other inaccuracies in this document. In order to protect RIM proprietary and confidential information and/or trade secrets, this document may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this document; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this document to you in a timely manner or at all. RIM MAKES NO REPRESENTATIONS, WARRANTIES, CONDITIONS, OR COVENANTS, EITHER EXPRESS OR IMPLIED (INCLUDING WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, MERCHANTABILITY, DURABILITY, TITLE, OR RELATED TO THE PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE REFERENCED HEREIN OR PERFORMANCE OF ANY SERVICES REFERENCED HEREIN). IN CONNECTION WITH YOUR USE OF THIS DOCUMENTATION, NEITHER RIM NOR ITS RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR CONSULTANTS SHALL BE LIABLE TO YOU FOR ANY DAMAGES WHATSOEVER BE THEY DIRECT, ECONOMIC, COMMERCIAL, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR INDIRECT DAMAGES, EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS REVENUE OR EARNINGS, LOST DATA, DAMAGES CAUSED BY DELAYS, LOST PROFITS, OR A FAILURE TO REALIZE EXPECTED SAVINGS. This document might contain references to third-party sources of information, hardware or software, products or services and/or third-party web sites (collectively the "Third-Party Information"). RIM does not control, and is not responsible for, any Third-Party Information, including, without limitation the content, accuracy, copyright compliance, compatibility, performance, User Guide Supplement trustworthiness, legality, decency, links, or any other aspect of Third-Party Information. The inclusion of Third-Party Information in this document does not imply endorsement by RIM of the Third-Party Information or the third-party in any way. Installation and use of Third-Party Information with RIM's products and services may require one or more patent, trademark, or copyright licenses in order to avoid infringement of the intellectual property rights of others. Any dealings with Third-Party Information, including, without limitation, compliance with applicable licenses and terms and conditions, are solely between you and the third-party. You are solely responsible for determining whether such third-party licenses are required and are responsible for acquiring any such licenses relating to Third-Party Information. To the extent that such intellectual property licenses may be required, RIM expressly recommends that you do not install or use Third-Party Information until all such applicable licenses have been acquired by you or on your behalf. Your use of Third-Party Information shall be governed by and subject to you agreeing to the terms of the Third-Party Information licenses. Any Third-Party Information that is provided with RIM's products and services is provided "as is". RIM makes no representation, warranty or guarantee whatsoever in relation to the Third-Party Information and RIM assumes no liability whatsoever in relation to the Third-Party Information even if RIM has been advised of the possibility of such damages or can anticipate such damages. Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 34