In order for AirWatch to retrieve a certificate from a certificate authority, you must correctly configure the AirWatch Console to use the certificate.

  • Configure the certificate authority.
  • Configure the certificate template.

Configure the Certificate Authority

  1. Login to the AirWatch Console with Administrator privileges or higher.
  2. Navigate to Devices > Certificates > Certificate Authorities from the AirWatch Console main menu.

  3. Click Add.

  4. Select Microsoft ADCS from the Authority Type drop-down menu prior to completing any other configuration settings for the certificate authority.
  5. Enter the information about the Certificate Authority.
    • Enter the exact name for the new Certificate Authority.
    • Enter a brief Description for the new certificate authority.
    • Microsoft ADCS should already be selected for the Authority Type as described previously.
    • Select ADCS as the Protocol.
    • Enter the URL of the server in the Server Hostname field. The server hostname must be entered in the following format: https://{servername}/certsrv/adcs/. The site can be http or https depending on how the site is set up. The URL must include the trailing /.
    • Enter the Authority Name. This is the name of the certificate authority that the ADCS endpoint is connected to. This can be found by launching the Certification Authority application on the certificate authority server.
    • Verify Service Account is selected for Authentication.
    • Enter the Username and Password. This is the username and password of the ADCS Admin Account with sufficient access to allow AirWatch to request and issue certificates.

  6. Click Save.

Configure the Certificate Template

  1. Select the Request Templates tab and then select Add. The Certificate Template - Add/Edit screen displays.

  2. Complete the certificate template information:
    • Enter the exact Name for the new request template.
    • Enter a brief Description for the new certificate template.
    • Select the certificate authority that was just created from the Certificate Authority drop-down menu.
    • Enter the Subject Name or Distinguished Name (DN) for the template. The text entered in this field is the Subject of the certificate, which can be used by the network administrator to determine who or what device received the certificate.

      A typical entry in this field is “CN=AirWatch.{EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are AirWatch lookup values.

    • Select the private key length from the Private Key Length drop-down menu.

      This is typically 2048 and should match the setting on the certificate template that is being used by ADCS.

    • Select the private key type from the Private Key Type drop-down menu.

      This is typically “Signing & Encryption” and should match the certificate template that is being used by ADCS. For use with Exchange Active Sync it should be “Signing & Encryption”.

    • Click Add to the right of San Type to include one or more Subject Alternate Names with the template. This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the San Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values.
    • Select the Automatic Certificate Renewal checkbox to have certificates using this template automatically renewed prior to their expiration date. If enabled, specify the Auto Renewal Period in days.
    • Select the Enable Certificate Revocation checkbox to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
    • For Lotus Domino configurations only, select the Publish Private Key checkbox to publish the private key to the specified web service endpoint.
    • For iOS devices only, enable Force Key Generation on Device which generates a public and private key pair on the device, improving performance and security.
  3. Click Save