Workspace ONE UEM is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). Integrate with Enterprise Java Beans Certificate Authority (EJBCA) services to issue certificates for yourWorkspace ONE UEM MDM solution.
In order for Workspace ONE UEM to communicate with Enterprise Java Beans Certificate Authority (EJBCA) for certificate distribution, you must have an EJBCA instance configured and ready to issue certificates. You can then configure Workspace ONE UEM to communicate with EJBCA using certificate based authentication. Once communication is successfully established, you can define how to deploy certificates to devices. Below are some of the examples of how EJBCA and Workspace ONE UEM can be configured.
- Scenario 1: Workspace ONE UEM SaaS with EJBCA installed on-premises.
- Device enrolls with Workspace ONE UEM.
- Workspace ONE UEM requests certificate from EJBCA endpoint (optionally through the AirWatch Cloud Connector).
- EJBCA endpoint delivers the certificate to Workspace ONE UEM (optionally through the AirWatch Cloud Connector).
- Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or WiFi profile.
If your EJBCA endpoint is public-facing, then it must be protected by a public SSL certificate. If you are using AirWatch Cloud Connector, then it needs to be configured to trust the root certificate installed on your EJBCA appliance.
- Scenario 2: Workspace ONE UEM and EJBCA both installed on-premises.
- Device enrolls with Workspace ONE UEM.
- Workspace ONE UEM requests certificate from EJBCA endpoint (optionally through the AirWatch Cloud Connector).
- EJBCA endpoint delivers the certificate to Workspace ONE UEM (optionally through the AirWatch Cloud Connector).
- Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or WiFi profile.
If your EJBCA endpoint is public-facing, then it must be protected by a public SSL certificate. If you are using AirWatch Cloud Connector, then it needs to be configured to trust the root certificate installed on your EJBCA appliance. See Configuring AirWatch Cloud Connector to trust EJBCA for more information.
Prerequisites
- An EJBCA instance that is configured for certificate deployment.
- Workspace ONE UEM console version 9.5 or later.
- If your EJBCA appliance is public-facing, it must be protected with a Public SSL Certificate. If you are using VMware AirWatch Cloud Connector for enterprise integration, then it needs to be configured to trust the root certificate installed on your EJBCA appliance.
Procedure
What to do next
Review some tips and troubleshooting steps for the integration.
- Verify ability to perform certificate authentication without Workspace ONE UEM.
Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.
- Verify ability to perform certificate authentication with Workspace ONE UEM.
You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.
- If SSL TLS errors are received while creating a template.
- This error can occur when you attempt two tasks.
- Create a Workspace ONE UEM certificate template byselecting the Retrieve Profiles button or
- Retrieve a certificate from the Workspace ONE UEM console from the SecureAuth certificate authority.
- The troubleshooting technique that usually resolves this problem is adding the required server certificate chain in the console servers trusted root key store.
- This error can occur when you attempt two tasks.
- If the Workspace ONE UEM certificate profile fails to install on the device.
- Inform Workspace ONE UEM Professional Services of the error and request they:
- Turn on Verbose Mode to capture additional data.
- Retrieve web console log.
- Workspace ONE UEM analyzes the log and works with customer to resolve the problem.
- Inform Workspace ONE UEM Professional Services of the error and request they:
- If the certificate is not populated in the View XML option of the profile.
- Confirm that lookup values configured on the EJBCA certificate profile match the look up values in the Workspace ONE UEM console request emplate.
- Confirm that lookup values in Workspace ONE UEM request template are actually populated in the user information being pulled from AD.
- Confirm you are pointing to the right profile in EJBCA.