Now that you have generated a Symantec MPKI RA certificate, Workspace ONE UEM can be configured to communicate with Symantec.

Configure CA

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Click Add.

  3. Select Symantec from the Authority Type drop-down menu.

  4. Enter a unique name and description that identifies the Symantec certificate authority in the Name and Description fields.

  5. Enter in the Server URL field if it is not populated by default. This allows Workspace ONE UEM to have sufficient access to request and issue certificates.:

    The URL is the same for all customers.

  6. Select either the PKI or SCEPradio button to specify the Certificate Authority Protocol. If you select SCEP, enter the URL for the SCEP End Point in the data entry field that appears. This allows your SCEP server to have sufficient access to request and issue certificates.

  7. In the RA Certificate field, select the Upload button and select the RA certificate (PFX file) that you completed in the step above, Instructions for Generating a New RA Certificate using OpenSSL, in order to communicate with Symantec.

  8. Enter the password Symantec provided previously in the Certificate Password field.

    The password you need in this step was created when you completed and exported the CSR process.

  9. Click Save.

  10. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.

Configure Certificate Template

Now that you have completed Configuring CA, Workspace ONE UEM is able to communicate with Symantec. The next step is to define which certificate will be deployed to devices by setting up a certificate template in Workspace ONE UEM. Use the following steps whether you are setting up a template for PKI or SCEP.

  1. Navigate to Devices > Certificates > Certificate Authorities.
  2. Select the Request Templates tab.
  3. Click Add.

  4. Select the Symantec Certificate Authority you created in Configuring CA from the Certificate Authority drop-down menu.

  5. Enter the name for the Symantec Request Template.

  6. Enter a Description to help you identify the Symantec certificate template.

  7. Select the Symantec profile OID from the Profile Name drop-down menu.

  8. Select the Automatic Certificate Renewal checkbox if Workspace ONE UEM is going to automatically request the certificate to be renewed by Symantec when it expires. If you select this option, enter the number of days prior to expiration before Workspace ONE UEM automatically requests Symantec to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on Symantec to have Duplicate Certificates enabled.

  9. Select the Enable Certificate Revocation checkbox if Workspace ONE UEM should automatically remove the certificate if the device is unenrolled, if the applicable profile is removed, or if the device is deleted from Workspace ONE UEM. When you delete a profile or a device the SCEP certificate is removed from the device but it is not automatically revoked from the CA.

  10. For Key Type, configuration occurs in the Symantec PKI Manager. This indicates whether the public-private key pair is generated by Workspace ONE UEM or by Symantec. Workspace ONE UEM loads this setting from Symantec based on the selected OID and uses this value to determine the type of certificate request to send. Absolutely no configuration in Workspace ONE UEM is needed by the customer.

  11. Enter Lookup Values in each of the Mandatory Fields that complement those fields in the Symantec profile. These fields can change depending on which Symantec profile you choose since the information within the Symantec profile may be different.

  12. Click Save.