After you configure the ASA firewall for AnyConnect VPN with external CA authentication, AirWatch can be used to automate the deployment process of Identity Certificates and VPN settings to each device.

To accomplish this process, you must first integrate AirWatch with the external CA so that AirWatch can request and deploy Identity Certificates.

  1. Log in to the AirWatch Console as an Administrator.
  2. Navigate to Devices > Certificates > Certificate Authorities.

  3. Select Add.
  4. Select the appropriate PKI type from the Authority Type drop-down menu. This value is typically Microsoft ADCS (Active Directory Certificate Services). Make your Authority Type selection before configuring any other settings as the available options change depending on the Authority Type selected.
  5. Enter the following details about the CA in the remaining text boxes.

    • Enter a name for the CA in the Certificate Authority text box. This value is how the CA is displayed within the AirWatch Console.
    • Enter a brief Description for the new CA.
    • Select ADCS radio button in the Protocol section. If you select SCEP, then there are different text boxes and selections available not covered by this document.
    • Enter the host name of the CA server in the Server Hostname text box.
    • Enter the actual CA Name in the Authority Name text box. This value is the name of the CA to which the ADCS endpoint is connected. This value can be found by launching the Certification Authority application on the CA server.
    • Select the type of service account in the Authentication section. Service Account causes the device user to enter credentials. Self-Service Portal authenticates the device without the user having to enter their credentials.
    • Enter the Admin Username and Password. This value is the user name and password of the ADCS Admin Account which has sufficient access to allow AirWatch to request and issue certificates.

  6. Select Save. Next, enter in information about the Identity Certificate template that AirWatch deploys to devices for VPN certificate authentication.
  7. Select the Request Templates tab.

  8. Select Add.
  9. Complete the certificate template Information.
    • Enter a name for the Request Template.
    • Enter a brief Description for the new certificate template.
    • Select the certificate authority that was just created from the certificate authority drop-down menu.
    • Enter the Subject Name or Distinguished Name (DN) for the template. The text entered in this text box is the Subject of the certificate, which a network administrator can use to determine who or what device received the certificate.

      A typical entry in this text box is “CN=AirWatch.{EnrollmentUser}” or “CN={DeviceUid}” where the {} entries are AirWatch lookup values.

    • Select the private key length from the Private Key Length drop-down menu.

      This value is typically 2048 and must match the setting on the certificate template that is being used by DCOM.

    • Select the Private Key Type using the applicable check box.

      This value must match the setting on the certificate template that is being used by DCOM.

    • Select Add to the right of San Type to include one or more Subject Alternate Names with the template. This value is used for extra unique certificate identification. Usually, this value needs to match the certificate template on the server. Use the drop-down menu to select the San Type and enter the subject alternate name in the corresponding data entry text box. Each text box supports lookup values.
    • Select the Automatic Certificate Renewal check box to have certificates using this template automatically renewed before their expiration date. If enabled, specify the Auto Renewal Period in days.
    • Select the Enable Certificate Revocation check box to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
    • Select the Publish Private Key check box to publish the private key to the specified Web service endpoint (directory services or custom Web service).

  10. Select Save.

Next, you must Deploy a VPN and Certificate Profile to Devices.