After configuring the ASA firewall for IPSec VPN with external CA authentication, AirWatch can be used to automate the deployment process of Identity Certificates and VPN settings to each device.

You can now integrate AirWatch with the external CA so that AirWatch can request and deploy Identity Certificates. First, you must provide AirWatch with information about the external CA.

  1. Log in to the AirWatch Console as a user with AirWatch Administrator privileges, at minimum.
  2. Navigate to Devices > Certificates > Certificate Authorities.

  3. Select Add.
  4. Select from the Microsoft ADCS from the Authority Type drop-down menu prior to completing any other configuration settings for the certificate authority.

  5. Enter the information about the Certificate Authority.
    • Enter a name for the new Certificate Authority.
    • Enter a brief Description for the new certificate authority.
    • Microsoft ADCS should already be selected for the Authority Type as described previously.
    • Select ADCS radio button for the Protocol.
    • Enter the URL of the server in the Server Hostname field. The server hostname must be entered in the following format: https://{servername}/certsrv/adcs/. The site can be http or https depending on how the site is set up. The URL must include the trailing /.
    • Enter the Authority Name. This is the name of the certificate authority that the ADCS endpoint is connected to. This can be found by launching the Certification Authority application on the certificate authority server.
    • Verify the Service Account radio button is selected for Authentication.
    • Enter the Username and Password. This is the username and password of the ADCS Admin Account with sufficient access to allow AirWatch to request and issue certificates.
  6. Select Save.
  7. Select the Request Templates tab at the top of the page and then select Add.

  8. Complete the certificate template information.
    • Enter a name for the new Request Template.
    • Enter a brief Description for the new certificate template.
    • Select the certificate authority that was just created from the Certificate Authority drop-down menu.
    • Enter the Subject Name or Distinguished Name (DN) for the template. The text entered in this field is the “Subject” of the certificate, which can be used by the network administrator to determine who or what device received the certificate.

      A typical entry in this field is “CN=AirWatch.{EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are AirWatch lookup values.

    • Select the private key length from the Private Key Length drop-down box.

      This is typically 2048 and should match the setting on the certificate template that is being used by ADCS.

    • Select the private key type from the Private Key Type drop-down box.

      This is typically “Signing & Encryption” and should match the certificate template that is being used by ADCS. For use with Exchange Active Sync it should be “Signing & Encryption.”

    • Select Add to the right of San Type to include one or more Subject Alternate Names with the template. This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the San Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values.
    • Select the Automatic Certificate Renewal checkbox to have certificates using this template automatically renewed prior to their expiration date. If enabled, specify the Auto Renewal Period in days.
    • Select the Enable Certificate Revocation checkbox to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
    • Select the Publish Private Key checkbox to publish the private key to the specified web service endpoint (directory services or custom web service).
  9. Select Save.

Now you can proceed to the final step, Deploy an IPSec VPN and Certificate Profile to Devices.