You can confirm that the certificate is operational by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured Exchange ActiveSync endpoint. If the device does not connect and shows a message indicating the certificate cannot be authenticated or the account cannot connect to Exchange ActiveSync, then there is a problem in the configuration.

Ensure a certificate is being issued by the certificate authority to the device by checking the following information:

  1. Launch the certification authority application on the certificate authority server and browse to the issued certificates section.
  2. Locate the last certificate issued and verify it shows a subject matching the subject created when the certificate was generated in the AirWatch Console.

    If there is no certificate, then there is an issue with the certificate authority, client access server (e.g., ADCS), or the AirWatch connection to client access server.

  3. Ensure the permissions of the client access server (e.g., ADCS) Admin Account is applied correctly to the certificate authority and the certificate template.

  4. Ensure the account information is entered correctly in the AirWatch configuration.


If the certificate is being issued, ensure that it is in the profile and on the device:

  1. Navigate to Devices > Profiles > List View.
  2. Click to the right of the applicable Exchange ActiveSync profile to launch the Actions menu and select View XML.


  3. On the device, access the list of installed profiles.

  4. View details for the applicable profile and ensure the certificate is present.

  5. Confirm that the certificate contains the Subject Alternative Name (or SAN) section and within that section there is an Email and Principal name with the appropriate data. If this section is not in the certificate, then either the template is incorrect or the certificate authority has not been configured to accept SAN. Refer to the section on configuring the certificate authority.

  6. Confirm the certificate contains the Client Authentication in the Enhanced Key Usage section. If not present, then the template is not configured correctly.

If the certificate is on the device and contains the correct information, then the problem is most likely with the security settings on the Exchange ActiveSync server. Confirm the address of the Exchange ActiveSync server is entered correctly in the AirWatch profile and that all security settings have been adjusted to allow certificate authentication on the Exchange ActiveSync server.

A reliable test is to manually configure a single device to connect to the Exchange ActiveSync server using certificate authentication. This should work outside of AirWatch and until this works properly, AirWatch will not be able to configure a device to connect to Exchange ActiveSync with a certificate.