Installing Credential Escrow Gateway simplifies the distribution of SMIME certificates to iOS and Android devices by not uploading the SMIME certificate to Workspace ONE Unified Endpoint Management. Learn more about installing Workspace ONE UEM Credential Escrow Gateway.

The VA is delivered as an OVA file, which is used to create a dedicated virtual machine (VM) with Credential Escrow Gateway pre-installed. The creation process of the VM also asks for certain configuration parameters, such as the root user's password, network interface card (NIC) configuration, and more.

Create Credential Escrow Gateway VA

  1. Download the VA using the provided link. This is a file with .ova extension.

  2. Create a new VM using a VM tool such as VMware vSphere or Fusion.

    1. In Fusion, use menu new > import > choose file

    2. In vSphere, use menu Deploy OVF Template > Local file > Choose file

  3. The VM initialization process asks you to validate and customize some parameters, such as the root user's password, how many NIC cards to create, the IP configuration of the NIC cards, whether to enable root user's SSH access, etc.

  4. During the testing phase, it is recommended to turn on SSH access for the root user because SSH access is easier to use than native console or web console.

Book and Log Into VM

  1. Power on the VM after installation (Credential Escrow Gateway VA is a server with a text-based console).

  2. The first boot pauses a few seconds during the agent initialization process to unpack and start all packages used by Credential Escrow Gateway.

  3. Log in using root credentials

Validate Credential Escrow Gateway (CEG)

Initial health checks use the -k flag to accept CEG's built-in TLS server certificate. Learn more about customizing the TLS server certificate in the Configuring Credential Escrow Gateway section later in this guide.

  1. Local CEG health check

    1. Log into the VA using a console.

      Issue the following command from the console:

      curl -k https://localhost/v1/hc

      The output should look something like:


      This is the hash id of the container running CEG API.

  2. Remote CEG health check

    1. Get the IP address of CEG VA from the console

      1. use the ifconfig command

    2. Run a health check from a different machine using the following command:

      curl -k https://{CEG VA's ip address}/v1/hc

    3. You should see the same result as in the local health check.