Page 7
- Unlocking after application cold startup
- Idle unlock
- Unlocking when restoring from the background
Once one app has renewed the certificate, all other applications on the device are informed
about the presence of the new certificate by the GC server. All other applications will fetch the
renewed certificate locally when they are next started up or unlocked. Auth delegate app is
given preference and enters renew time window three days earlier than other apps.
Admin can force renew for a user certificate or for all users via manual action from the console.
2.5.2 Handling Error Conditions
- On temporary error, BlackBerry Dynamics runtime will try to renew again at every hour.
(such as PKI connector or GC server not reachable)
- On unknown and unexpected again, BlackBerry Dynamics runtime will try again in twenty-
four hours.
- Renew attempt will be stopped when user certificate expires. No UI is provided to the
user.
o User is informed about the expired certificate when they unlock the application.
User is then prompted with new certificate enrollment flow.
2.5.3 Renew Protocol Flow
1. BlackBerry Dynamics runtime sends renewal request to the PKI Connector. This request
is a cms SignedData object, signed with user’s current private key containing a pkcs10
payload (see the format in the getUserKeyPair2 section).
2. PKI Connector must implement following interface
a. getUserKeypair2 interface to return a P12 containing new key-pair and public
certificate for the user. In this scenario BlackBerry Dynamics runtime will import
the new key-pair sent the PKI Connector.
3. PKI connector is sent an acknowledgement, after BlackBerry Dynamics runtime has
received the renewed certificate.
2.6 Certificate removal
When a user is removed or a device is removed from Good Control server or the certificate is
deleted by the admin or user, Good Control server will notify the PKI Connector, about the
user’s public certificate that is no longer used in the BlackBerry Dynamics deployment. The PKI
Connector can revoke these certificates.