In order for Workspace ONE UEM to retrieve a certificate from a certificate authority, you must correctly configure the Workspace ONE UEM console to use the certificate. There are two steps to this process.

  • Configure the certificate authority.
  • Configure the certificate template.


  1. Open the Workspace ONE UEM console.
  2. Login as a user with Workspace ONE UEM Administrator privileges or higher.
  3. Navigate to Devices > Certificates > Certificate Authorities.

  4. Click Add.

  5. Select from the Generic SCEP from the Authority Type drop-down menu prior to completing any other configuration settings for the certificate authority.

  6. Enter the following details about the CA in the remaining fields:

    • Enter the actual certificate authority Name in the Certificate Authority field. This is the name of the CA to which the NDES/SCEP/MSCEP endpoint is connected. This can be found by launching the Certification Authority application on the CA server.

    • Enter a brief Description for the new CA.

    • Enter the URL of the CA server in the SCEP URL field.

    • Select the Challenge Type radio button that reflects whether or not a challenge phrase is required for authentication. For additional authentication, choose Static or No Challenge.

      • If you select Static, enter an authentication phrase consisting of a key or password used to authenticate the device with the certificate enrollment URL.
  7. Click Test Connection. If you select Save prior to Test Connection, a “Test is unsuccessful” error displays.

  8. Click Save.

  9. Select the Request Templates tab

  10. Click Add to add a new certificate template.

  11. Complete the certificate template information:

    • Enter a name for the new Request Template.

    • Enter a brief Description for the new certificate template.

    • Select the certificate authority that was just created from the Certificate Authority drop-down menu.

    • Enter the Subject Name or Distinguished Name (DN) for the template. The text entered in this field is the “Subject” of the certificate, which can be used by the network administrator to determine who or what device received the certificate.

      A typical entry in this field is “CN=WorkspaceONEUEM.{EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are Workspace ONE UEM lookup values.

    • Select the private key length from the Private Key Length drop-down box.:

      This is typically 2048 and should match the setting on the certificate template that is being used by NDES/SCEP/MSCEP.

    • Select the Private Key Type using the applicable checkbox.

      This should match the setting on the certificate template that is being used by NDES/SCEP/MSCEP.

    • Click Add to the right of SAN Type to include one or more Subject Alternate Names with the template. This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values.

    • Select the Automatic Certificate Renewal checkbox to have certificates using this template automatically renewed prior to their expiration date. If enabled, specify the Auto Renewal Period in days.

    • Select the Enable Certificate Revocation checkbox to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.

    • Select the Publish Private Key checkbox to publish the private key to the specified web service endpoint (Directory Services or custom web service)

  12. Click Save.