First, use the Symantec PKI portal to generate a Registration Authority (RA) certificate. After Symantec creates the certificate, it is stored on the server, which can be any server you choose.

Generate a New RA Certificate using OpenSSL

  1. Generate a new RSA key pair.

    Command: openssl req -new -newkey rsa:2048 -nodes -out AirWatch.csr -keyout AirWatch.key -subj


  2. Log in to the Symantec PKI portal.
  3. Click on Tasks (gear icon). Click on Get a RA Certificate.


  4. Paste the CSR into the field, submit, and download a new certificate.


  5. Convert the .p7b format certificate into .pem.

    Command: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

  6. Create a pkcs12 with the private key and pem.

    openssl pkcs12 -export -out certificate.pfx -inkey AirWatch.key -in certificate.pem