Use the following requirements and steps to configure certificate integration.

System Requirements

The following tasks must be completed before proceeding with the steps outlined in this document:

  • An OpenTrust CMS Mobile 2.0 instance needs to be available. Contact your OpenTrust administrator to obtain a digital identity configured with appropriate rights for configuration.
  • AirWatch version 8.0 or greater.
  • AirWatch Cloud Connector is required if the OpenTrust CMS instance is installed behind a firewall.

Step 1: Obtain certificates for communication with OpenTrust CMS Mobile

After OpenTrust CMS Mobile has been installed, either in your on-premises environment or available from a provider’s cloud, you will receive a connection URL and three identities contained in password-protected PKCS#12 (.PFX or .P12) files. These identities are illustrated and explained below.


  1. One identity is meant for communication between AirWatch and OpenTrust CMS Mobile, hereafter referred to as “CMS JSON Connector”.
  2. One identity is meant for OpenTrust CMS Mobile administration, hereafter referred to as “CMS Admin”.
  3. One identity is meant for communication between OpenTrust CMS Mobile and OpenTrust PKI, hereafter referred to as “PKI SOAP Connector”.

These identities must have been configured by the CMS administrator with appropriate rights for each task.

You only need to integrate the CMS Admin identity into your browser, the two other PKCS#12 files need to remain available later for configuration. Check your browser’s documentation about integrating a digital identity if needed.

Step 2: Configure an AirWatch Datasource in OpenTrust CMS Mobile

The first step is to configure an internal data source in CMS Mobile to store incoming data from AirWatch.

  1. Connect to the OpenTrust CMS Mobile using an administrator identity.
  2. If the OpenTrust application does not open on the Settings page, select the drop-down arrow on the top, left corner of the dashboard and select Settings from the drop-down list.


  3. Navigate to Datasources by selecting Applications & Repositories > Datasources. The Datasources screen displays.


  4. Click on the Create a new Datasource drop-down and select Internal.

  5. Click on the Create button. The Configure an Internal Datasource window displays. The field names will be the ones received from AirWatch during each enrollment. The ones listed below are typical examples; the ones you want should have been decided in the previous step.

    These fields will be displayed in the AirWatch Console later when performing the integration.


  6. Enter a Name and Description for the new Datasource.

  7. Enter an Attribute name, Internal Name, and select a Label from the drop-down list that matches the Mandatory Fields you will be configuring in Step 6: Setup Certificate Template for OpenTrust CA Type.

  8. Click on Save. The new Datasource is added to the Internal list as shown in the screen below.


    Further information about configuring datasources is available from OpenTrust’s documentation.

Step 3: Configure the OpenTrust CMS Mobile Application

After you set up the Datasource, you need to configure the OpenTrust Application to point to the Datasource. In this very specific context, an Application refers to a digital credential, for example, an X.509 certificate.

  1. Click on Applications & Repositories > Applications to navigate to the Applications screen.


  2. Click on the Create a new Application of Type: drop-down arrow and OpenTrust PKI, OpenTrust PKI – Escrowed Keys, and Certificate Authorities Bundle displays the available selections. These are three different ways to configure the Application Type. This document covers OpenTrust PKI and Certification Authorities Bundle. OpenTrust PKI Escrowed Keys is configured in a similar fashion.


Select the OpenTrust PKI Application Type

  1. Select OpenTrust PKI from the drop-down.
  2. Click Create. The Configure an Application window appears.


  3. Enter appropriate information in the fields and then select on the Add an SSL client identity button.

  4. The SSL Client identity dialog box appears. Select the Authentication Type radio button. In this example, choose PKCS#12 since you are uploading a P12 (= PFX) file.


  5. Click on the Browse button and navigate to the P12 file containing the “PKI SOAP connector” identity.

    The certificate you need to upload here corresponds to the “PKI SOAP connector identity”. This identity must have been created by the PKI administrator and configured to have access rights to enroll/revoke certificates on all profiles chosen for mobile usage. This certificate needs not be integrated into a browser; it is only used server-to-server for strong authentication. You should have received a PFX/P12 file together with the associated password.

  6. Enter the Password you received when you received the P12 file.

  7. Click Save. The window expands to display the Certificate Management Profile Settings section. This section provides you with the ability to link the Certificate Profile Fields to the Datasource fields.



  8. Click on the Profile drop-down and select the profile from the list. Based on the selection, the PKI Version and Type automatically populates and the Mandatory Fields that is associated with AirWatch Template display.

  9. Drag and drop the available Data Source Fields from the bottom of the screen to the Mandatory Fields. In this example, it is the Common Name, Organizational Unit, Organization, and Email.

  10. Click Save. This links the OpenTrust Mobile Management Profile to the Data Source fields.

Select the Certification Authorities Bundle Application Type

You can add a bundle of Root and Sub-CA certificates by selecting this kind of application. To be part of a distributable bundle, a CA certificate needs to be trusted first by OpenTrust CMS Mobile. This can be achieved by editing trusted Certification Authorities through Server Management / Trust & Internal Certificates / Trusted External CAs, then selecting the right button Trust an external CA.

  1. Select Certification Authorities Bundle from the drop-down.


  2. Click Create. The Configure an Application window appears.


  3. Enter appropriate information in the fields and then check the appropriate checkbox for the certificate you want to associate to the Application.
  4. Click Save. This links the Certificate to the Application.
  5. The Applications window appears. The new Certification Authorities Bundle appears in the list.


Step 4: Configure the OpenTrust CMS Mobile MDM Profile

After you set up the OpenTrust Application, you need to configure the OpenTrust Mobile Management Profile to point to one or more OpenTrust Applications. This completes the process by connecting all the points needed by OpenTrust to enroll devices submitted by AirWatch. A Mobile Management Profile essentially represents a list of one or more certificates linked together which will be retrieved by AirWatch and deployed on a given mobile device.

For example, one profile contains a single certificate for VPN users; one profile containing two certificates for S/MIME users; or one do-it-all profile containing authentication, signing, and encryption certificates. A Mobile Management Profile links all of these certificates together. When users enroll against a profile they get all the defined certificates in one go. Note that AirWatch supports only one credential per mobile management profile.

  1. Click the Create a new Mobile Management Profile drop-down arrow.
  2. Select MDM from the list.


    You can select Agent supported (BlackBerry), Generic, MDM, and iOS from the drop-down list. Since the configuration of all selection are similar, except for the addition configuration of Wi-Fi, Exchange, and VPN if you select iOS, and this guide is only intended to provide guidance through some examples, we chose the most common selection – MDM. For more detailed information, refer to your OpenTrust manual, or call their technical support.


  3. Click Create. The Edit a Mobile Management Profile - MDM window appears.


  4. Enter appropriate information in the Name, Description, and Title fields and then check the appropriate Application checkbox for the Public Key Infrastructure or CA Certificate you want to associate to the Profile.

  5. Click the Enrollment tab.


  6. Click the Identification Method drop-down arrow and select one method from the list. This allows you to choose any of the Internal Datasources that were previously created. Select the main datasource that was declared in Applications.

  7. Click the Revocation tab.


  8. Click to select the Revocation by an Administrator checkbox if you want to allow administrators to revoke this profile.

  9. Click Save. This saves the profile and completes the connection between the Datasource, Application, and Mobile Management Profile.

Step 5: Configure OpenTrust in AirWatch

Now that you have generated an OpenTrust CMS Mobile 2.0 RA certificate, AirWatch can be configured to communicate with OpenTrust.

  1. Navigate to Devices > Certificates > Certificate Authorities and in the System Settings page that displays, ensure the Certificate Authorities tab is selected.
  2. Select the Add button.

    The Certificate Authority – Add / Edit page displays.

  3. Select the Authority Type drop-down and select OpenTrust CMS Mobile.

  4. Enter in the Name field a unique name that identifies the OpenTrust certificate authority.

  5. Enter in the Server URL field; enter the URL of your OpenTrust CMS instance.

    The URL is different for each customer and your AirWatch administrator should ask the MPS administrator where to connect to. Its general form is https://FQDN/connector/mdm.cgi

    where FQDN is the Fully Qualified Domain Name of the OpenTrust CMS Mobile server.

  6. Select the Protocol either the PKI or SCEP radio button.

  7. Lastly, select on the Upload button and select the “CMS JSON connector” certificate (PFX or P12 file) that you received in order to communicate with OpenTrust CMS Mobile.
  8. If applicable, the root certificate of the CMS JSON connector (pfx file) needs to be uploaded in the Trusted Root store of the AirWatch Cloud Connector server.

  9. Enter in the Certificate Password field the password you received with the P12 file.

  10. Select the Save button and the PFX/P12 file uploads into AirWatch and displays pertinent information about the certificate.

  11. When complete, select the Test Connection button and verify that the test is successful.


    If the connection failed, an error displays. This error could be the result of a certificate not being installed on the AirWatch server, the URL not being correct, etc. In this case, the Server URL was not correct.


  12. Select Save.

Step 6: Set Up Certificate Template for OpenTrust CA Type

Now that you have completed Step 5: Retrieving Certificate from OpenTrust Certificate Authority, AirWatch is able to communicate with OpenTrust. The next step is to define which certificate will be deployed to devices by setting up a certificate template in AirWatch.

Use the following steps whether you are setting up a template for PKI or SCEP.

  1. While still in the Certificate Authorities system settings page ( Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities), select the Request Templates tab.
  2. Select the Add button to add a new Certificate Template.
  3. The Certificate Template Add/Edit window displays. First, select on the Certificate Authority drop-down and select the OpenTrust certificate authority you created in completed in Step 5: Retrieving Certificate from OpenTrust Certificate Authority.

  4. Enter in the Name and Description fields the name you want to give the OpenTrust certificate template.
  5. If AirWatch is going to automatically request the certificate to be renewed by OpenTrust when it expires, check the Automatic Certificate Renewal checkbox and then enter in the Auto Renewal Period (days) field the number of days prior to expiration before AirWatch automatically requests OpenTrust to reissue the certificate.
  6. Click on the Profile Name drop-down and select the OpenTrust profile you created in Step 4 above.

    Mandatory Fields display. These fields can change depending on which OpenTrust profile you choose since the information within the profile may be different. The fields you see on the left side correspond to the datasource fields you declared on the OpenTrust side. The values on the right are the AirWatch variables.

    The lookup values you enter in the AirWatch Certificate Template Mandatory Fields above are used as attributes for certificate generation. Make sure the lookup values you use match those used in the OpenTrust Portal. For example, if your mail in OpenTrust Portal is email address then use the {EmailAddress} lookup value for mail in the AirWatch certificate template. If the lookup values do not match, OpenTrust will create a new user.

  7. Enter Lookup Values in each of the fields that complement those fields in the OpenTrust profile.

  8. Click Save.