Through Credential Escrow Gateway, your SMIME certificate does not have to be stored with Workspace One UEM. Learn more about how to upload certificates for Credential Escrow Gateway.

Uploading Certificates to Escrow Gateway

When uploading certificates from Certificate Authority to Escrow Gateway, the structure of the uploaded certificates must match that of the profile. For example, when the profile specifies both signing certificate and encryption certificate are to be fulfilled by Credential Escrow Gateway, this means that the uploaded certificate for that profile must have both certificates in the payload. Otherwise, an error occurs on Credential Escrow Gateway side for the job, and the profile for a device stays in pending information state.

If you are using Postman to upload certificates, you may receive the error: "Could not get any response." Re-sending the request allows the certificates to be successfully uploaded. This error does not display if you send the request with cURL from a command line.

The following is the cURL script for uploading certificates to Credential Escrow Gateway:

curl -i -X POST ''\--header 'Content-Type: application/json'\--header 'Accept: application/json'\--cert ${PWD}/approved-client-certificate.p12 \--cert-type p12 \--data @${PWD}/certificates-payload.json
  • Authentication - the certificate upload API uses mutual TLS for authentication. The request must provide a client certificate that is in the pre-approved list of client certificates on the server side.

    In the above example, the client certificate is from the same directory where the cURL command is issued from.

  • Payload schema - the payload of this request is from a local JSON file named certificates-payload.json, which has the following schema:

          "device_uuid": "e8ee2f19-e9b6-4dab-b308-c898b8f7a109",
          "user_uuid": "27223e25-d63c-4cb5-8239-a7512fa379bf",
          "smime_certificates": { 
              "encryption": [{ 
                    "pkcs12": "the base64 encoded encryption certificate - 1",
                    "password": "password" 
               }, { 
                    "pkcs12": "the base64 encoded encryption certificate - 2",
                    "password": "password" 
               "signing": [{ 
                        "pkcs12": "the base64 encoded certificate - 1",
                        "password": "password"

During manual testing, make sure to change the user UUID and device UUID in the JSON payload above. The Devices API gives you the Enrollment User UUID and Device UUID for the certificate upload. Alternatively the certificate upload process can be automated when your certificate provider is listening to the Device Enrollment Event Notification.

curl -i -X GET '{deviceid}'\
--header 'aw-tenant-code: E6wl82Zo6OgmmWTMnwa50CeD6hmemhzoB77P4naZylY='\
--header 'Content-Type: application/json'\
--header 'Authorization: {Basic Authentication}'

Example Response

"EnrollmentUserUuid": "93029b25-13a8-4aad-a0e8-b9216f20a2ba", -> This is the Enrollment User's UUID. 
"ManagedBy": 0, 
"Id": { 
"Value": 33
 "Uuid": "626d199a-6773-489b-80a4-f9ced2a0ce89"-> This is the Device's UUID.