Add a Service Account on the CA

  1. Launch the Certification Authority Console from the Administrative Tools in Windows.
  2. In the left pane, select (+) to expand the CA directory.
  3. Right-click the name of the CA and select Properties. The CA Properties dialog box displays.

  4. Click the Security tab.

  5. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box displays.

  6. Click within the Enter the object names to select field and type the name of the service account (e.g., Ima Service).

  7. Click OK. The CA Properties dialog box displays.

  8. Select the service account you added in the previous step (e.g., Ima Service) from the Group or user names list.

  9. Select the Read, the Issue and Manage Certificates, and the Request Certificates checkboxes to assign permissions to the service account.

  10. Click OK.

Configure the CA to use Subject Alternative Name in Certificates

  1. Open a command prompt from the Windows Desktop and enter the following in the order they appear. These commands configure the CA to allow the use of the Subject Alternative Name (SAN) in a certificate.

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    net stop certsvc
    net start certsvc

Add a Certificate Template on the CA

The CA (certsrv) window displays.

  1. In the left pane, select (+) to expand the CA directory.
  2. Right-click the Certificate Template folder and select Manage. The Certificate Templates Console window displays.

  3. Select the desired template (e.g., User) under Template Display Name, and right-click Duplicate Template. The Duplicate Template dialog box displays.

    AirWatch will use the duplicate certificate template. The template you choose depends on the function being configured in AirWatch. For Wi-Fi, VPN, or Exchange Active Sync (EAS) client authentication select User template.

    Certs_Microsoft_DCOM_23

  4. Select the Windows Server that represents the oldest enterprise version being used within the domain to ensure backward compatibility of the certificate that was issued.

    Certs_Microsoft_DCOM_24

  5. Click OK. The Properties of New Template dialog box displays.

Configure Certificate Template Properties

  1. Click the General tab.
  2. Type the name of the template displayed to users in the Template display name field. The Template name field auto-fills with the template display name without spaces.

    You may use this default value or enter a new template name if desired. The template name may not contain spaces. Make note of the template name. You will need to enter this information in AirWatch.

    You will enter the Template name you just configured with no spaces in the AirWatch Console in the Issuing Template field within the Configuring the Certificate Template screen.

  3. Select the desired length of time for the certificate to be active from the Validity period entry field/drop-down menu.

    You should choose a length of time that is less than the time you chose for the Step 1: Install the Microsoft CA Role. By doing this the certificate will expire before the CA.

  4. Click Apply.

  5. Click the Request Handling tab.

  6. Select the appropriate client authentication method from the Purpose: drop-down menu. This selection might be based on the application of the certificate being issued, although for general purpose client authentication, select Signature and Encryption.

  7. Select the Allow private key to be exported checkbox.

    For a certificate to be installed on an iOS device, this checkbox MUST be selected.

  8. Click Apply.

  9. Select the Subject Name tab.

  10. Select Supply in the request. If Supply in the request is not selected, the certificate will be generated to the service account instead of the desired end user.

Enable the Template for Certificate Authentication

  1. Click the Extensions tab.
  2. Select Application Policies from the Extensions included in this template: field. This allows you to add client authentication.

  3. Click Edit. The Edit Application Policies Extension dialog box displays.

  4. Click Add. The Add Application Policy dialog box displays.

  5. Select Client Authentication from the Application policies: field.

  6. Click OK. The Properties of New Template dialog box displays.

Provide the AD Service Account Permissions to Request a Certificate

  1. Click the Security tab.

  2. Click Add. The Select Users, Computers, Service Accounts or Groups dialog box displays. This allows you to add the service account configured in Active Directory to request a certificate.

  3. Enter the name of the service account (e.g., Ima Service) in the Enter the object names to select field.

  4. Click OK. The Properties of New Template dialog box displays.

  5. Select the service account you created in the previous step (e.g., Ima Service) from the Group or user names: field.

  6. Select the Enroll checkbox under Permissions for CertTemplate ServiceAccount.

  7. Click OK.

Enable the Certificate Template on the CA

  1. Navigate to the Certificate Authority Console.
  2. Click (+) to expand the CA directory.
  3. Click Certificate Templates folder.
  4. Right-click and select New > Certificate Template to Issue. The Enable Certificates Templates dialog box displays.

  5. Select the name of the certificate template (e.g., Mobile User) that you previously created in Creating a Name for the Certificate Template.

  6. Click OK.