To use an external certificate for SAML signing, you must generate a Certificate Signing Request (CSR) from the Workspace ONE Access console. The CSR is sent to a certificate authority to generate the SSL certificate.

Note: A certificate generated without the CSR from the Workspace ONE Access console is not supported.


  1. In the Catalog tab, select Web Apps Settings > SAML Metadata.
  2. Click Generate CSR
  3. Enter the requested information. Options with an asterisk (*) are required.
    Option Description
    Common Name* Enter the fully qualified domain name. For example,
    Organization* Enter the legally registered name of the organization. For example, Mycompany, Inc.
    Department Enter the department in your company that is added in the certificate. For example, IT Services.
    City* Enter the city where your organization is legally located.
    State/Province* Enter the state or region where your organization is located. Do not abbreviate.
    Country* Enter a few letters of your country name to select the correct country from the list.
    Key Generation Algorithm* Select the secure hash algorithm used to sign the CSR.
    Key Size* Select the number of bits used in the key. RSA 2048 is recommended. RSA key size smaller than 2048 is considered insecure.
  4. Click Generate.
    Give the CSR to the certificate authority to create the certificate.

What to do next

When you receive the certificate, upload the certificate to the Workspace ONE Access service. The CA replaces the self-signed certificate.