Use the following requirements and steps to configure certificate integration.

System Requirements

  • A SecureAuth instance that is configured for certificate deployment.
  • AirWatch Console version 7.2 or higher.
  • If your SecureAuth appliance is public-facing, it must be protected with a Public SSL Certificate. If you are using AirWatch Cloud Connector (ACC) for enterprise integration, then ACC needs to be configured to trust the root certificate installed on your SecureAuth appliance.

Retrieve Certificate from SecureAuth Certificate Authority

After you generate a SecureAuth MPKI RA certificate, AirWatch can be configured to communicate with SecureAuth.

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Click Add.
  3. Select SecureAuth from the Authority Type drop-down menu.
  4. Enter a unique name and description that identifies the SecureAuth certificate authority in the Certificate Authority and Description fields.
  5. In the Server URL field enter https://<SecureAuth_FQDN>/SecureAuthX/webservice/certificateissuerws.svc, where <SecureAuth_FQDN> is the URL of your SecureAuth instance and the “X” in “SecureAuthX” is the realm instance number that is configured for certificates.

    This is the web endpoint that AirWatch will use to submit requests and issue certificates.

  6. Enter the Company GUID, which at the time of this writing can be found by logging in to your SecureAuth admin portal, navigating to the System Information tab, and scrolling down to the License Info section where you can view your Company GUID.
  7. Enter the Username and Password fields, which can be found by logging in to your SecureAuth admin portal, navigating to the Workflow tab, and scrolling down to the FBA WebService section.
  8. Click Save.
  9. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.
  10. Click Save.

Set Up Certificate Template for SecureAuth CA Type

Now that you have completed Retrieving Certificate from SecureAuth Certificate Authority, AirWatch is able to communicate with SecureAuth. The next step is to define which certificate will be deployed to devices by setting up a certificate template in AirWatch. Use the following steps whether you are setting up a template for PKI or SCEP.

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Select the Request Templates tab.
  3. Click Add.
  4. Select SecureAuth from the Certificate Authority drop-down menu.
  5. Enter the Name for the SecureAuth Request Template.
  6. Enter a Description to help you identify the SecureAuth certificate template.
  7. Enter the Subject Name, which is the identity bound to the certificate.
  8. Select the Key Pair Generation Location, which can be either AirWatch or SecureAuth. This is where the key pair is generated – either on the SecureAuth side or on the AirWatch side. AirWatch recommends selecting SecureAuth because it is the simpler configuration.
    • When you select SecureAuth, it will generate the certificate and the private key and return it back to AirWatch with its root certificate. The root certificate and user certificate are combined into a single cert and sent to the device to install.
    • When you select AirWatch, you have a few more fields to configure: the Certificate Validity Period, which is the length of time the certificate is valid for in days (AirWatch recommends the value 365), and the Private Key Length, which is how secure you want the keys to be (AirWatch recommends 2048 as the key length).
  9. For Private Key Type, select if the certificate can be used for signing and encryption operations or both.
  10. Select the Automatic Certificate Renewal checkbox if AirWatch is going to automatically request the certificate to be renewed by SecureAuth when it expires. If you select this option, enter the number of days prior to expiration before AirWatch automatically requests SecureAuth to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on SecureAuth to have the Duplicated Certificates setting enabled.
  11. Select the Enable Certificate Revocation checkbox if you want AirWatch to be able to revoke certificates.
  12. Click Save.

Deploy a Certificate Profile to a Device

Now that the SecureAuth certificate authority and certificate template settings have been properly configured in AirWatch, the final step is to configure AirWatch profiles (payloads) for either PKI or SCEP. If in Retrieving Certificate from SecureAuth certificate authority, you chose PKI then you only need to configure a Credentials profile. Once either of these profiles are created, you can create additional payloads that the SecureAuth certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.

Configure a PKI Credential Payload

  1. Navigate to Devices > Profiles > List View.
  2. Click Add.
  3. Select the applicable platform for the device type.
  4. Specify all General profile parameters for organization group, deployment type, etc.
  5. Select Credentials from the payload options.
  6. Click Configure.
  7. Select Defined Certificate Authority from the Credential Source drop-down menu.
  8. Select the external SecureAuth CA you created previously in Retrieving Certificate from SecureAuth Certificate Authority from the Certificate Authority drop-down menu.
  9. Select the certificate template for SecureAuth you created previously in Setup Certificate Template for SecureAuth CA Type from the Certificate Template drop-down menu.

    At this point, Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed. For step-by-step instructions on configuring these payloads, refer to the applicable Platform Guides.