You add the certificate template that associates the certificate authority used to generate the user's certificate.


Configure the Certificate Authority in AirWatch.


  1. In the AirWatch admin console, navigate to System > Enterprise Integration > Certificate Authorities.
  2. Select the Request Template tab and click Add.
  3. Configure the following in the certificate template page.




    Enter the name for the new request template in AirWatch.

    Certificate Authority

    In the drop-down menu, select the certificate authority that was created.

    Issuing Template

    Enter the Microsoft CA certificate template name exactly as you created in AD CS. For example, iOSKerberos.

    Subject Name

    After CN=, enter {EnrollmentUser}, where the {} text box is the AirWatch lookup value. The text entered here is the Subject of the certificate, which can be used to determine who received the certificate.

    Private Key Length

    This private key length matches the setting on the certificate template that is being used by AD CS. It is usually 2048.

    Private Key Type

    Select the check box for Signing and Encryption.

    San Type

    For the Subject Alternate Name, select User Principal Name. The value must be {EnrollmentUser}. If device compliance check is configured with Kerberos authentication, you must set a second SAN type to include the UDID. Select the San type DNS. The value must be UDID={DeviceUid}.

    Automatic Certificate Renewal

    Select the check box to have certificates using this template automatically renewed before their expiration date.

    Auto Renewal Period (days)

    Specify the auto renewal in days.

    Enable Certificate Revocation

    Select the check box to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.

    Publish Private Key

    Select this check box to publish the private key.

    Private Key Destination

    Either Directory Service or Custom Web Service

  4. Slick Save.

What to do next

In the Identity Provider admin console, configure the built-in identity provider with the Mobile SSO for iOS authentication method.