In order for Workspace ONE UEM to retrieve a certificate from a CA, you must correctly configure the Workspace ONE UEM console to use the certificate by performing the following:

  • Configure the CA.
  • Configure the certificate template.

Configure the CA

  1. Log in to the Workspace ONE UEM console as a user with Workspace ONE UEM admin privileges, at minimum.
  2. Navigate to System > Enterprise Integration > Certificate Authorities.
  3. Click Add.

  4. Enter details about the CA:

    • Select ‘Microsoft ADCS’ from the Authority Type drop-down menu. Configure this setting first, because dependent settings appear.

    • Enter the Name and Description of the new certificate authority.

    • Select the Protocol: ADCS or SCEP.

    • Select the Version: NDES 2008/2012 or SCEP 2003.

    • Enter the URL of the CA server in the SCEP URL field.

    • Select the Challenge Type that reflects whether a challenge phrase is required for authentication.

      If you want basic authentication, select Static and enter an authentication phrase consisting of a singular key or password that is used to authenticate the device with the certificate enrollment URL.

      To enable a new challenge to be generated for every SCEP enrollment request, select Dynamic.

    • Enter the Challenge Username/Challenge Password. This user-name and password combination is used to authenticate the device making the request.

      For additional security, upload a certificate under Challenge Client Certificate for Workspace ONE UEM to present when fetching the dynamic challenge from the SCEP endpoint.

    • Complete the SCEP Challenge URL field.

    • Advanced Options

      • Enter the SCEP Challenge Length, which represents the number of characters in the challenge password.

      • Enter the Retry Timeout, which is the time the system waits between retries.

      • Enter the Max Retries When Pending, which is the maximum number of retries the system allows while the authority is pending.

      • With Enable Proxy checked, Workspace ONE UEM acts as a proxy between the device and the SCEP endpoint defined in the CA configuration.

    • Click Test Connection. If you select Save before Test Connection, a “Test is unsuccessful” error displays.

  5. Click Save.

Configure the Certificate Template

  1. Click the Request Templates tab.
  2. Click Add.

  3. Enter the following details about the template in the remaining fields:

    • Enter the template Name and Description.

    • Select the certificate authority that was just created from the Certificate Authority drop-down box.

    • Enter the distinguished name in the Subject Name field. The text entered in this field becomes the Subject of the certificate, which lets the network administrator determine which devices receive the certificate.

      A typical entry in this field is “CN={EnrollmentUser}” or “CN={DeviceUid}” where the {} fields are Workspace ONE UEM lookup values.

      If you select Automatic Certificate Renewal for the certificate, add CN = {CertificateGUID} as part of the Certificate subject in the template.

    • Select the private key length from the Private Key Length drop-down menu.

      This value is typically 2048 and should match the setting on the certificate template that is being used by NDES/SCEP/MSCEP.

    • Select the applicable Private Key Type.

      This value can be Signing, Encryption, or both, and the value should match the certificate template being used by NDES/SCEP/MSCEP.

    • You may optionally select any of the following:

      • If Workspace ONE UEM automatically renews the certificate when it expires, select Automatic Certificate Renewal. Enter the number of days before expiration that Workspace ONE UEM automatically reissues a certificate to the device in the Auto Renewal Period (days) field .

      • Select Enable Certificate Revocation to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.


        Note: If you use the Enable Certificate Revocation feature, navigate to Devices & Users > General > Advanced and set the number of hours in the Certificate Revocation Grace Period field. This period is the amount of time in hours after the discovery that a required certificate is missing from a device that the system waits before actually revoking the certificate. Given the vagaries of wireless technology and network bandwidth performance, this field prevents false negatives or times when a certificate is falsely identified as not existing on a device.

      • Select Publish Private Key if the certificate is published to Active Directory or any other customer web service. Then select the proper destination by selecting the appropriate Private Key Destination, either Directory Services or a Custom Web Service.

      • Click Add to the right of Eku Attributes to insert an object identifier (OID) that represents any additional extended key usages that may be required. You may add multiple Eku Attributes to fit your needs.

      • Select Force Key Generation On Device to generate a public and private key pair on the device itself. This setting improves CA performance and security.

  4. Click Save.