In order for AirWatch to retrieve a certificate from a CA, you must correctly configure the AirWatch Console to use the certificate by performing the following:

  • Configure the CA
  • Configure the certificate template

Configure the CA

  1. Login to the AirWatch Console as a user with AirWatch Administrator privileges, at minimum.
  2. Navigate to System > Enterprise Integration > Certificate Authorities.
  3. Click Add.

  4. Enter the following details about the CA in the remaining fields.

    • Select ‘Microsoft ADCS’ from the Authority Type drop-down menu. You need to select this option prior to populating other fields in the dialog so applicable fields and options display.

    • Enter the Name and Description of the new certificate authority.

    • Select the Protocol; you may choose between ADCS and SCEP.

    • Select the Version by choosing between NDES 2008/2012 and SCEP 2003.

    • Enter the URL of the CA server in the SCEP URL field.

    • Select the Challenge Type that reflects whether or not a challenge phrase is required for authentication. If you want basic authentication, select the Static radio button and enter an authentication phrase consisting of a singular key or password that is used to authenticate the device with the certificate enrollment URL. Select Dynamic to enable a new challenge to be generated for every SCEP enrollment request.

    • Enter the Challenge Username/Challenge Password. This is combo is used to authenticate the device making the request.

    • Complete the SCEP Challenge URL field.

    • Advanced Options

      • Enter the SCEP Challenge Length, which represents the number of characters in the challenge password.

      • Enter the Retry Timeout, which is the time the system shall wait in between retries.

      • Enter the Max Retries When Pending, which is the maximum number of retries the system will allow while the authority is pending.

      • With Enable Proxy checked, AirWatch acts as a proxy between the device and the SCEP endpoint defined in the CA configuration.

        For more information, see the following AirWatch Knowledge Base article:

    • Click Test Connection. If you select Save prior to Test Connection, a “Test is unsuccessful” error displays.

  5. Click Save.

Configure the Certificate Template

  1. Click the Request Templates tab.
  2. Click Add.

  3. Enter the following details about the template in the remaining fields

    • Enter the template Name and Description.

    • Select the certificate authority that was just created from the Certificate Authority drop-down box.

    • Enter the distinguished name in the Subject Name field. The text entered in this field becomes the Subject of the certificate, which can be used by the network administrator to determine which devices need to receive the certificate.

      A typical entry in this field is “CN={EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are AirWatch lookup values.

    • Select the private key length from the Private Key Length drop-down menu.

      This is typically 2048 and should match the setting on the certificate template that is being used by NDES/SCEP/MSCEP.

    • Select the applicable checkbox for the Private Key Type.

      This can be Signing, Encryption, or both, and this value should match the certificate template being used by NDES/SCEP/MSCEP.

    • You may optionally select any of the following:

      • Select the Automatic Certificate Renewal checkbox and enter the number of days prior to expiration before AirWatch automatically reissues a certificate to the device in the Auto Renewal Period (days) field if AirWatch is going to automatically renew the certificate when it expires.

      • Select the Enable Certificate Revocation checkbox to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.


        Note: If you are making use of the Enable Certificate Revocation feature, navigate to Devices & Users > General > Advanced and set the number of hours in the Certificate Revocation Grace Period field. This is the amount of time in hours after the discovery that a required certificate is missing from a device that the system shall wait before actually revoking the certificate. Given the vagaries of wireless technology and network bandwidth performance, this field is designed to prevent false negatives or times when a certificate is falsely identified as not existing on a device.

      • Select the Publish Private Key checkbox if the certificate needs to be published to Active Directory or any other customer web service, then select the proper destination by selecting the appropriate Private Key Destination, either Directory Services or a Custom Web Service.

      • Click Add to the right of Eku Attributes to insert an object identifier (OID) that represents any additional extended key usages that may be required. You may add multiple Eku Attributes to fit your needs.

      • Select Force Key Generation On Device to generate a public and private key pair on the device itself. This improves both CA performance and security.

  4. Click Save.