Workspace ONE UEM can request certificates from various certificate authorities, one is Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority. To use Entrust as a certificate authority, use the supported version of Workspace ONE UEM console, have access to an Entrust ID Enterprise instance, and set up Entrust ID Enterprise for mobile enrollment.
You can use Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority as a third-party certificate authority for Workspace ONE UEM in a SaaS environment. Communication flows between Workspace ONE UEM, Entrust, and mobile devices.
- Open port 19443 from the Workspace ONE UEM console to your Entrust server.
Note: SaaS deployments can contact VMware Support Services to check that 19443 is open.
- If you use the AirWatch Cloud Connector, go to the advanced settings, and disable the Entrust PKI.
- Use supported Entrust API versions V8 and V9.
- Use Workspace ONE UEM console version 9.5 or later.
- VMware AirWatch Cloud Connector is required if the Entrust ID Enterprise instance is installed behind a firewall.
- An Entrust ID Enterprise instance needs to be available.
- Configure Entrust ID Enterprise for mobile enrollment.
Set up Entrust ID Enterprise for mobile enrollment with Workspace ONE UEM. This task creates an Entrust Managed certificate authority (CA) and issues the instance of Entrust with a digital ID.
Perform this task with help from your Entrust ID Enterprise representative. If you are using Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority, your representative gives you several values for configuring Entrust as a CA in Workspace ONE UEM console.
- URL to enter as the Server URL of the CA.
- Credentials for the Server URL.
- A digital ID configuration to enter while completing the certificate template.
- Configure an Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority CA in Entrust ID Enterprise. Adding a Managed CA allows Entrust ID Enterprise to communicate with your Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority CA.
- Configure a Digital ID Configuration in Entrust ID Enterprise. A Digital ID Configuration is a template that Entrust ID Enterprise uses to issue digital IDs.
- Configure the Entrust ID Enterprise digital ID policies.
- Mirror the password rules set in Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority and Entrust ID Enterprise. If the password rules do not match, errors can occur when issuing digital IDs.
- Add an Entrust ID Enterprise administrator that your Workspace ONE UEM MDM uses to issue digital IDs.
Configure Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority as a certificate authority (CA) in the Workspace ONE UEM console. Configuration sets communication between the systems using values from your Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority managed certificate authority.
- Navigate to Devices > Certificates > Certificate Authorities and in the System Settings page that displays, select the Certificate Authorities tab.
- Select the Add button. The Certificate Authority – Add / Edit page displays.
- Enter in the Name field a unique name that identifies the Entrust certificate authority.
- Select the Authority Type drop-down and select Entrust.
- For Protocol, select either the PKI or SCEP radio button.
- Enter in the Server URL field the URL of the Administration Services MDM Web Service or the Entrust ID Enterprise Administration Service. If you are using Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority PKI, your Entrust ID Enterprise representative gave you this URL when you configured Entrust for mobile enrollment. should have been provided to you by an Entrust representative. An example of the URL is https://mobile.example.com:19443/mdmws/services/AdminServiceV8.
- In the Username and Password settings, enter the user name of the Administration Services or Entrust ID Enterprise administrator you created while configuring Entrust. If you are using Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority PKI, this username and corresponding password should have been provided to you by an Entrust representative.
- When complete, select the Test Connection button and verify that the test is successful. If the connection failed, an error displays. This error could be the result of a certificate not being installed on the Workspace ONE UEM server or the URL not being correct. In the example error, the Server URL was not correct.
- Select Save.
Define which certificate Workspace ONE UEM console deploys to devices by setting up a certificate template for Entrust ID Enterprise.
- On the Certificate Authorities system settings page (Groups & Settings > Configurations > Certificate Authorities), select the Request Templates tab.
- Select the Add button to add a new Certificate Template. The Certificate Template Add/Edit window displays.
- Select on the Certificate Authority drop-down and select the Entrust CA you configured earlier.
- Enter in the Name and Description fields the name you want to give the Entrust certificate template.
- For Managed CA, select the name of the Entrust CA.
- Click on the Profile Name drop-down and select the name of the Digital ID Configuration that you created while configuring Entrust. If you are using Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority, this Digital ID Configuration should have been provided to you by an Entrust representative.
- Configure Subject Alternative Name (SAN) attributes as required. These are used for additional unique identification of the device and need to match the Digital ID configuration.
- If Workspace ONE UEM automatically requests the certificate to be reviewed by Entrust when it expires, check the Automatic Certificate Renewal check box and make sure the assignment type is set to Auto. Set the number of days prior to expiration before Workspace ONE UEM automatically requests Entrust to reissue the certificate in Auto Renewal Period (days) field.
- If certificates must be revoked, either manually or when they are removed from the device, select Enable Certificate Revocation.
- Complete the Mandatory Fields that are used to form the common name of the distinguished name within the certificate. These fields can change depending on which Entrust profile you choose since the information within the profile may be different. The fields you see on the left side correspond to the data source fields you declared on the Entrust side. The values on the right are the Workspace ONE UEM variables. Enter Lookup Values in each of the fields that complement those fields in the Entrust profile. Make sure the lookup values you use match those used in the Digital ID configuration. If you are using Entrust PKI as a Service (PKIaaS) or Entrust Certificate Authority, this information should have been provided to you by an Entrust representative.
- Click Save.
What to do next
To fix a (40) error that occurs in your integration of Entrust ID Enterprise and Workspace ONE UEM, delete old profiles and update the values for two parameters. If you see the error
(40) Error AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection, take the following steps to fix the error.
- Clean up stale profiles.
- Increase the size of MaxRecievedMessageSize to
- Increase the size of MaxBufferSize to