Configure VMware Tunnel to rotate public SSL certificates to maintain the end-user service experience. VMware Tunnel only supports rotating public SSL certificates.

Note: For immediate certificate rotation, your front-end and back-end servers must be able to communicate with AWCM. Otherwise the rotation might take up to four hours.


  1. Navigate to Groups & Settings > Configurations > Tunnel.
  2. Select Edit to change the configuration settings.
  3. In the Server Authentication section, you can configure Third Party SSL Certificate that secures client-server communication from enabled application on a device to the VMware Tunnel. By default, this setup uses a AirWatch certificate for secure server-client communication.
    1. Select Third Party option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
    2. Select Add Certificate to upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.
  4. Select Save to add the certificate to the database.
  5. In the UEM console, publish a new version of your VPN profiles configured for VMware Tunnel to devices.

What to do next

After all the end-user devices have the new profile version, select Activate Certificate to use the new certificate. If you have uploaded an incorrect certificate and wish to remove the certificate from the database, select Remove.