A trusted SSL certificate is required for Workspace ONE Access connector servers that have the Kerberos Auth service installed. For the Kerberos Auth service, the connection is inbound and end users establish SSL connections to the connector.

Requirements for the trusted SSL certificate for the Kerberos Auth service include:

  • The certificate must be in either PEM or PFX format.
  • If the certificate is a PEM file, you must also upload the private key.
  • The certificate key length must be from 1024-3072 bits.
  • Make sure that the certificate file contains the entire certificate chain in the correct order.
  • The certificate must be signed by a public or internal CA.
  • If you deploy multiple instances of the Kerberos Auth service to set up high availability for Kerberos authentication, a load balancer is required in front of the instances. In this case, the load balancer as well as all the connector instances must have trusted SSL certificates signed by a public or internal CA. For the load balancer certificate, use the Workspace IdP Hostname, which is set in the Workspace IdP configuration page, as the Subject DN Common Name. For each connector instance certificate, use the connector host name as the Subject DN Common Name. Alternatively, you can create a single certificate, using the Workspace Idp host name as the Subject DN Common Name, and all the connector host names as well as the Workspace Idp host name as Subject Alternative Names (SANs).
Note: If you did not upload a trusted SSL certificate during installation, a self-signed certificate was auto-generated. If you want to use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate, root_ca.per, from INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.

While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA.

Prerequisites

Obtain a trusted SSL certificate signed by a public or internal Certificate Authority (CA).

Procedure

  1. Log in to the Workspace ONE Access connector server that has the Kerberos Auth service installed.
  2. Go to the folder containing the connector installer and double-click the Workspace ONE Access Connector Installer.exe file.
  3. On the Welcome page, click Next.
  4. On the Program Maintenance page, select the Add/Remove Services option, then click Next.
  5. Click Next until the Install the SSL Certificate for Kerberos Auth Service page appears.
  6. Select the Would you like to use your own SSL certificate? check box.
  7. Click Browse and select the certificate file.
    The certificate file must be in PEM or PFX format. If you upload a PEM file, also upload the private key. If you upload a PFX file, also specify the certificate password.