Follow the steps below to configure AirWatch for integration.


  • RSA Certificate Manager 6.9 Build 555+ required.
  • REST API support in RSA must be enabled.
  • AirWatch Console version 7.3.1 or higher.
  • If your RSA appliance is public-facing, it must be protected with a Public SSL Certificate. If you are using AirWatch Cloud Connector (ACC) for enterprise integration, then ACC needs to be configured to trust the root certificate installed on your RSA appliance.


    Important: The Enterprise Integration Service (EIS) is not supported for integration between AirWatch and RSA. You must be using the AirWatch Cloud Connector.

Add the RSA Certificate Authority in AirWatch

Now that you have the requisite information from RSA, you can perform the integration from the AirWatch Console. This includes adding the certificate authority, configuring a Request Template, and deploying a Wi-Fi, VPN or EAS profile leveraging each.

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Click Add.
  3. Select RSA Certificate Manager from the Authority Type drop-down menu.
  4. Enter a unique name and description that identifies the RSA certificate authority in the Name and Description fields.
  5. In the Server URL field enter the server URL of your RSA instance, for example,

    This is the web endpoint that AirWatch will use to submit requests and issue certificates.

  6. Enter the Port, which is the port configured on your RSA instance that is listening for API calls. This is the port you noted from Obtaining your Port Number.
  7. Select Upload to upload the certificate you generated from Requesting an Authentication Certificate.
  8. Click Test Connection when complete to verify connectivity between AirWatch and RSA for authentication purposes. This does not indicate successful authentication, but rather that AirWatch can successfully establish a connection. An error message appears indicating the problem if the connection fails.
  9. Click Save.

Set Up Certificate Template for RSA CA Type

The next step is to define which certificate will be deployed to devices by setting up a certificate template in AirWatch.

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Select the Request Templates tab.
  3. Click Add.
  4. Enter the Name for the RSA Request Template.
  5. Enter a Description to help you identify the RSA certificate template.
  6. Select your RSA CA from the Certificate Authority drop-down menu.
  7. Enter the Jurisdiction, which you generated by following Obtaining Your Jurisdiction ID.
  8. Enter the External Profile, which you generated by following Obtaining Your Profile ID.
  9. Enter the Subject Name, which is the identity bound to the certificate.
  10. Enter the Private Key Length, which defaults to 2048.
  11. For Private Key Type, select if the certificate can be used for signing and encryption operations or both.
  12. Select the Automatic Certificate Renewal checkbox if AirWatch is going to automatically request the certificate to be renewed by RSA when it expires. If you select this option, enter the number of days prior to expiration before AirWatch automatically requests RSA to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on RSA to have the Duplicated Certificates setting enabled.
  13. Select the Enable Certificate Revocation checkbox if you want AirWatch to be able to revoke certificates.
  14. Click Save.


    Note: The San Type and Publish Private Key options do not do anything at this time.

Deploy a Certificate Profile to a Device

Now that the RSA certificate authority and certificate template settings have been properly configured in AirWatch, the final step is to configure AirWatch profiles (payloads). If in Retrieving Certificate from RSA Certificate Authority, you chose PKI then you only need to configure a Credentials profile. Once either of these profiles is created, you can create additional payloads that the RSA certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.

Configuring a PKI Credential Payload

  1. Navigate to Devices > Profiles > List View.
  2. Click Add.
  3. Select the applicable platform for the device type.
  4. Specify all General profile parameters for organization group, deployment type, etc.
  5. Select Credentials from the payload options.
  6. Click Configure.
  7. Select Defined Certificate Authority from the Credential Source drop-down menu.
  8. Select the external RSA CA you created previously in Retrieving Certificate from RSA certificate authority from the certificate authority drop-down menu.
  9. Select the Certificate Template for RSA you created previously in Setup Certificate Template for RSA CA Type from the certificate template drop-down menu.

    At this point, Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed. For step-by-step instructions on configuring these payloads, refer to the applicable Platform Guides.