When a BlackBerry device is setup with encryption capabilities it contains other people certificates so the client can use the certificates to send encrypted e-mails. As time go by unfortunately these certificates can expire or additional new certificates can come up. When this happens and the device does not contain the newer certificates client will not be able to send encrypted e-mail to new clients or will not able to open encrypted e-mail from new client. In case like this client fetch certificate manually on the device. Recently we updated BES 4.1 to 5.0 and most of our BB device use firmware 5.0 Is there a way to set up auto fetch on BES server so client do not have to do fetch public certificate when it is missing from the BlackBerry device?