VMware Tunnel supports rotating your public SSL certificates with zero downtime for end users. Rotating your public SSL certificate and the profile grace period ensures that your end users do not experience a service interruption.

To rotate your public SSL certificates, you must upload a new certificate to the Workspace ONE UEM console. Adding a new certificate enables you to prepare new VPN profiles configured for VMware Tunnel before rotating the certificate on the server.

To prepare the end-user devices for rotation, you must add a new version of the VPN profiles configured for VMware Tunnel. The new profile version contains the new public SSL certificate. Before rotating the server certificate, you must push the new profile version to devices.

When the certificate is close to expiring or is compromised, the UEM console notifies the user and you can activate the new public SSL certificate to trigger the rotation and maintain the service. After you activate the certificate, VMware Tunnel server requires clients to have the new certificate to authenticate.

Rotate the Public SSL Certificate

Configure VMware Tunnel to rotate public SSL certificates to maintain the end-user service experience. VMware Tunnel only supports rotating public SSL certificates. For immediate certificate rotation, your front-end and back-end servers must be able to communicate with AWCM. Otherwise the rotation might take up to four hours.
Note: The certificate is pushed to the Unified Access Gateway front end only after you save the API settings on the front-end UEM console.
  1. Navigate to Groups & Settings > Configurations > Tunnel.
  2. Select Edit to change the configuration settings.
  3. In the Server Authentication section, you can configure Third Party SSL Certificate that secures client-server communication from enabled application on a device to the VMware Tunnel. By default, this setup uses a AirWatch certificate for secure server-client communication.
    1. Select Third Party option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
    2. Select Add Certificate to upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.
  4. Select Save to add the certificate to the database.
  5. In the UEM console, publish a new version of your VPN profiles configured for VMware Tunnel to devices.

    After all the end-user devices have a new profile version, select Activate Certificate to use the new certificate. As a best practice, VMware recommends to delete any unused or expired certificates from the VMware Tunnel configuration. You can click Delete for a particular certificate record to delete any unused or expired certificates.

Rotate the AirWatch Tunnel Server Authentication Certificate

At times, the AirWatch Server Certificate will expire. When this happens, you will need to rotate it.

In the console under Tunnel Configurationt, click Edit. Then navigate to the Server Authentication section. Click Regenerate. This will open a dialog box. After reviewing the message, click OK.

Regenerating the Tunnel certificate will remove the existing trust Tunnel uses for authentication. You will need to deploy updated profiles after this action.