Before configuring the Secure Email Gateway (SEG) to use certificate authentication, you must have the following.

  • An internal certificate authority (CA) server must be used to create user’s certificates. An external CA cannot be used (e.g., VeriSign, etc.) to create user’s certificates.
  • Installed and operational Secure Email Gateway (SEG). For more information, see the VMware AirWatch Secure Email Gateway Guide, available on Accessing Other Documents.
  • Windows Server 2003 or 2008 Standard with latest service packs and recommended updates from Microsoft (
  • A device with an Exchange ActiveSync (EAS) profile and certificate from a domain enterprise certificate authority.
  • A SEG that is configured as a member of the same domain as the enterprise certificate authority.
  • Administrative permissions to be able to configure your enterprise.
    • Secure Email Gateway (SEG)
    • Active Directory (AD)
    • Exchange ActiveSync (EAS) server
  • A certificate authority properly configured to issue certificates throughout AirWatch through MSCEP/NDES or DCOM.
  • A trust relationship between the certificate authority (CA) providing the certificates and the directory services server. This will entail:
    • Export the root CA certificate to a .cer file.
    • At the command prompt, type the following command and press ENTER:

      Certutil -dspublish -f <filename> NTAuthCA

      certutil -enterprise -addstore NTAuth CA_CertFilename.cer