Installing an SSL Certificate for the Workspace ONE Access Service (On-Premises Only)

When the Workspace ONE Access service is installed, a default SSL server certificate is generated. You can use this self-signed certificate for testing purposes. However, best practice is to use SSL certificates signed by a public Certificate Authority (CA) for your production environment.

Note: If a load balancer in front of Workspace ONE Access terminates SSL, the SSL certificate is applied to the load balancer.

Prerequisites

Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a CA. The certificate can be either a PEM or PFX file. PEM certificates ae encoded with the private key using the PKCS #1 standard.
If a PEM file is imported, make sure that the file includes the entire certificate chain in the correct order. Make sure to include these tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- for each certificate. The order is the primary certificate first and then your intermediate certificate, then the ROOT certificate.
For the Common Name part of the Subject DN, use the fully qualified domain name that users use to access the Workspace ONE Access service. If the Workspace ONE Access appliance is behind a load balancer, this name is the load balancer server name.
If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the fully qualified domain names in the Workspace ONE Access cluster. Including the SAN enables the nodes within the cluster to make requests to each other. Also include a SAN for the FQDN host name that users use to access the Workspace ONE Access service, in addition to using it for the Common Name, because some browsers require it.
If your deployment includes a secondary data center, ensure that the Workspace ONE Access certificate includes the FQDN of the load balancer from the primary data center as well as the FQDN of the load balancer from the secondary data center. Otherwise, the certificate must be a wildcard certificate.

Procedure

Log in to the Workspace ONE Access console.
Select Dashboard > System Diagnostics Dashboard.
Click VA Configuration of the service node you want to configure and log in with the admin user password.
Select Install SSL Certificates > Server Certificate.
In the SSL Certificate tab, select Custom Certificate.
To import the certificate file, click Choose File and navigate to the certificate file to import.
If a PEM file is imported, make sure that the file includes the entire certificate chain in the correct order. Make sure to include these tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- for each certificate. The order is the primary certificate first and then your intermediate certificate.
If a PEM file is imported, import the private key. Click Choose File and navigate to the Private Key file . Everything between ----BEGIN RSA PRIVATE KEY and ---END RSA PRIVATE KEY must be included.
If a PFX file is imported, enter the PFX password.
Click Save.

Example: PEM Certificate Example

Certificate Chain Example
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate:your domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: <CA>.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Private Key Example
-----BEGIN RSA PRIVATE KEY-----
(Your PrivateKey: your_domain_name.key)
-----END RSA PRIVATE KEY-----