In order for AirWatch to retrieve a certificate from a CA, you must correctly configure the AirWatch Console to use the certificate by performing the following.

  • Configure the CA
  • Configure the certificate template

Configure the CA

  1. Login to the AirWatch Console as a user with AirWatch Administrator privileges, at minimum.
  2. Navigate to System > Enterprise Integration > Certificate Authorities.

  3. Click Add.

  4. Select Microsoft ADCS from the Authority Type drop-down menu. You need to select this option prior to populating other fields in the dialog so applicable fields and options display.

  5. Enter the following details about the CA in the remaining fields.

    • Enter a name for the CA in the Certificate Authority field. This is how the CA will be displayed within the AirWatch Console.

    • Enter a brief Description for the new CA.

    • Select ADCS radio button in the Protocol section. If you select SCEP, note that there are different fields and selections available not covered by this whitepaper.

    • Enter the host name of the CA server in the Server Hostname field.

    • Enter the actual CA Name in the Authority Name field. This is the name of the CA to which the ADCS endpoint is connected. This can be found by launching the Certification Authority application on the CA server.

    • Select the radio button that reflects the type of service account in the Authentication section. Service Account causes the device user to enter credentials. Self-Service Portal authenticates the device without the user having to enter their credentials.

    • Enter the Admin Username and Password. This is the username and password of the ADCS Admin Account (created in the previous Step 2: Configure Microsoft CA) which has sufficient access to allow AirWatch to request and issue certificates.

  6. Click Save.

Configure the Certificate Template

  1. Select the Request Templates tab.

  2. Click Add.

  3. Complete the certificate template information.

    • Enter a friendly name for the new Request Template. This name is used by the AirWatch Console.

    • Enter a brief Description for the new certificate template.

    • Select the Certificate Authority that was just created from the certificate authority drop-down menu.

    • Enter the name of the Issuing Template (e.g., MobileUser) that you configured in Configuring Certificate Template Properties in the Template name field. Make sure you enter the name with no spaces.

    • Enter the Subject Name or Distinguished Name (DN) for the template. The text entered in this field is the “Subject” of the certificate, which can be used by the network administrator to determine who or what device received the certificate.

      A typical entry in this field is “CN={EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are AirWatch lookup values.

    • Select the private key length from the Private Key Length drop-down menu.

      This is typically 2048 and should match the setting on the certificate template that is being used by DCOM.

    • Select the Private Key Type using the applicable checkbox.

      This should match the setting on the certificate template that is being used by DCOM.

    • Under San Type, select Add to include one or more Subject Alternate Names with the template. This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the San Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values. Email Address, User Principal Name, and DNS Name are supported by ADCS Templates by default, and AirWatch recommends that you use them.

    • Select the Automatic Certificate Renewal checkbox to have certificates using this template automatically renewed prior to their expiration date. If enabled, specify the Auto Renewal Period in days.

    • Select the Enable Certificate Revocation checkbox to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.


      Note: If you are making use of the Enable Certificate Revocation feature, navigate to Devices & Users > General > Advanced and set the number of hours in the Certificate Revocation Grace Period field. This is the amount of time in hours after the discovery that a required certificate is missing from a device that the system will wait before actually revoking the certificate. Given the vagaries of wireless technology and network bandwidth performance, this field is designed to prevent false negatives or times when a certificate is falsely identified as not existing on a device.

    • Select the Publish Private Key checkbox to publish the private key to the specified web service endpoint (Directory Services or custom web service).

      Publishing Private Key is only applicable when using Lotus Domino.

    • Click Add to the right of Eku Attributes to insert an object identifier (OID) that represents any additional extended key usages that may be required. You may add multiple Eku Attributes to fit your needs.

    • Select the Force Key Generation on Device checkbox to generate public and private key pair on the device which improves CA performance and security.

      For more information, see the following AirWatch Knowledge Base article:

  4. Click Save.