In order for AirWatch to use a certificate in a profile, which is used to authenticate a user, an enterprise certificate authority does not need to be set up in the same domain as the AirWatch server.

There are several methods for AirWatch to retrieve a certificate from the certificate authority. Each method requires the basic installation and configuration described in this document. Sample CA Configurations are shown below in the AirWatch SaaS environment. Configurations will differ in on-premises environments.

Scenario #1: AirWatch to NDES/SCEP/MSCEP and then to Certificate Authority

Certs_Microsoft_NDES_Diagram_SaaS_SCEP_to_CA

Scenario #2: AirWatch to VMware Enterprise Systems Connector, then to NDES/SCEP/MSCEP, and then to Certificate Authority

Certs_Microsoft_NDES_Diagram_SaaS_ACC_to_SCEP_to_CA

Scenario #3: On-Premises DS and NDES in the DMZ with Internal AW Console and CA

Certs_Microsoft_NDES_Diagram_OnPrem_without_ACC

Scenario #4: On-Premises with All Servers Internal and SCEP Proxy

Certs_Microsoft_NDES_Diagram_OnPrem_with_ACC