Customizing the SAN is required when you need to identify the certificate in a unique way. Such customization means the certificate template needs to be customized too.


Before customizing the SAN extension, you must have completed integrating your third-party certificate authority into Workspace ONE UEM, which may mean you have already saved a certificate template.

For step-by-step instructions on integrating your CA with Workspace ONE UEM, consult the online help system at and view the topic titled Supported Certificate Authorities.

Once you have completed the integration of the third-party certificate authority, take the following steps to add a new parameter in the SAN and the template.

  1. Log in to the Workspace ONE UEM console as an Administrator.
  2. Navigate to Devices > Certificates > Certificate Authorities.
  3. Select the Request Templates tab.
  4. If you have not yet saved a certificate template, select Add.

    If you have already saved a certificate template as part of the third-party CA integration with Workspace ONE UEM, then find your saved certificate template from the list and select the pencil icon ( MDM_Pencil_Icon)to the right of its listing. The SAN Type setting is the one to which you are adding a new parameter.

  5. Complete the settings in the Certificate Template - Add / Edit screen.

    Setting Description
    Name Provide a simple one or two word name for the template.
    Description Enter a brief description of the certificate template including any customization you may have applied.
    Certificate Authority Select the CA to which the template applies.
    Issuing Template Enter the CA certificate template name exactly as you created in ADCS. For example, iOSKerberos.
    Subject Name

    Enter the Subject Name or Distinguished Name (DN) for the template.

    The text entered in this text box is the Subject of the certificate, which a network administrator can use to determine who or what device received the certificate.

    A typical entry in this text box is “CN=Workspace ONE UEM.{EnrollmentUser}” or “CN={DeviceUid}” where the {} entries are Workspace ONE UEM lookup values.

    Private Key Length Select the private key length from the drop-down menu. This value is typically 2048 and must match the setting on the certificate template used by DCOM.
    Private Key Type Select the Private Key Type using the applicable check box. This value must match the setting on the certificate template used by DCOM.
    SAN Type

    Select +Add to the right of SAN Type to include one or more Subject Alternate Names with the template.

    This value is used for extra unique certificate identification. Usually, this value needs to match the certificate template on the server.

    Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry text box. Each text box supports lookup values.

    To make the template work with VMware Identity Manager and Single Sign-On, you must make at least one addition. Select User Principal Name in the left drop-down list. Its lookup value must be {EnrollmentUser}.

    If device compliance check is configured with Kerberos authentication, you must also set the SAN type DNS Name. The value must be UDID={DeviceUid}.

    In summary, the custom SAN Type parameters are the following.

    • User Principal Name, {EnrollmentUser}
    • DNS Name, UDID={DeviceUid} (Kerberos device compliance)


    Automatic Certificate Renewal

    Renew certificates using this template automatically before their expiration date.

    In order for the auto renewal feature to function correctly, the device profile to which you upload this saved template must have the Assignment Type setting, located in the General tab, set to 'Auto'.

    Auto Renewal Period (Days) This is the number of days prior to expiration that the certificate is eligible for renewal.
    Enable Certificate Revocation Direct the certificates to be automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
    Publish Private Key Publish the private key to the specified Web service endpoint (directory services or custom Web service).
  6. Select Save.