To use an external certificate for SAML signing, you must generate a Certificate Signing Request (CSR) from the Workspace ONE Access console. The CSR is sent to a certificate authority to generate the SAML signing certificate.

Note: To use an external signing certificate in the Workspace ONE Access service, you must generate the CSR that you send to the certificate authority from the Workspace ONE Access console.

Generate the Certificate Signing Request


  1. In the Workspace ONE Access console Resources > Web Apps page, select SettingsSAML Metadata.
  2. Open the Generate CSR tab.
  3. Enter the requested information.
    Option Description
    Common Name Enter the fully qualified domain name. For example,
    Organization Enter the legally registered name of the organization. For example, Mycompany, Inc.
    Department Enter the department in your company that is added in the certificate. For example, IT Services.
    City Enter the city where your organization is legally located.
    State/Province Enter the state or region where your organization is located. Do not abbreviate.
    Country Enter a few letters of your country name to select the correct country from the list.
    Key Generation Algorithm Select the secure hash algorithm used to sign the CSR.
    Key Size Select the number of bits used in the key. RSA 2048 is recommended. RSA key size smaller than 2048 is considered insecure.
  4. Click Generate.

Copy the CSR and give it to the certificate authority who will create the certificate.

Upload a Certificate Authority Signing Certificate

When you receive the certificate, upload the certificate to the Workspace ONE Access service. The CA replaces the self-signed certificate.

  1. In the Workspace ONE Access console Resources > Web Apps page, select SettingsSAML Metadata
  2. Open the Generate CSR tab.
  3. Click Upload Certificate and navigate to the certificate.
  4. Click Open.

    The SAML signing certificate and the SAML metadata files in Workspace ONE Access console are updated with the new certificate.

  5. Go to the Integrations > Connectors page and click Restart for each connector.

    The metadata is updated in the connector.

Next, reconfigure all SAML service provider and identity provider configurations with the updated SAML metadata file. If this is not done, SAML transactions fail and single sign-on does not work. See Download the SAML Signing Certificate from Workspace ONE Access to Configure with Relying Applications.