Certificates are used to authenticate communication among the Workspace ONE UEM console, VMware Tunnel, and end-user devices. At times, certificates expire and need to be rotated.

For your initial workflow, confirm that the following things are set.

  1. VMware Tunnel connects to the Workspace ONE UEM API and authenticates with an API Key and a Certificate.

    • Traffic requests are SSL encrypted using HTTPS.

    • Setup authorization is restricted to admin accounts with a role enabled for the Tunnel setup role (see preliminary steps).

  2. Workspace ONE UEM generates a unique identity certificate pair for both the Workspace ONE UEM and VMware Tunnel environments.

    • The Workspace ONE UEM certificate is unique to the group selected in the Workspace ONE UEM console.

    • Both certificates are generated from a trusted Workspace ONE UEM root.

  3. Workspace ONE UEM generates a unique self-signed certificate to be used as the server certificate. Optionally, you can also use your own Public SSL certificate instead of the self-signed certificate on the front-end VMware Tunnel server (if Tunnel is deployed using the cascade mode) or on the backend server (if Tunnel is deployed using the basic mode).

  4. Workspace ONE UEMsends the unique certificates and trust configuration back to the Tunnel server over HTTPS.

    The VMware Tunnelconfiguration trusts only messages signed from the Workspace ONE UEM environment. This trust is unique per group.

    Any additional VMware Tunnel servers set up in the same Workspace ONE UEM group as part of a highly available (HA) load-balanced configuration are issued the same unique Tunnel certificate.

    For more information about high availability, refer to the VMware Workspace ONE UEM Recommended Architecture Guide.

Next, setup the certificate integration cycle.

  1. Workspace ONE UEM generates Device Root Certificates that are unique to every instance during the installation process. The VMware Tunnel Device Root Certificate is used to generate client certificates for each device.

  2. The certificate is generated at the time of profile delivery.

  3. VMware Tunnel gets the chain during installation. The VMware Tunnel installer is dynamically packaged and picks these certificates at the time of download.

  4. VMware Tunnel makes an outbound call to the AWCM/API server (VMware AirWatch Cloud Messaging) to receive updated details on the device and certificates. The following details are exchanged during this process: DeviceUid, CertThumbprint, applicationBundleId, EnrollmentStatus, complianceStatus.

  5. VMware Tunnel maintains a list of devices and certificates and only authenticates the communication if it sees a certificate it recognizes.

    X.509 (version 3) digitally signed client certificates are used for authentication.

SSL Certification Rotation and Expiration Management

VMware Tunnel supports rotating your public SSL certificates with zero downtime for end users. It is best to rotate your public SSL certificate and the profile during the grace period to ensure that your end users do not experience a service interruption.

To rotate your public SSL certificates, you must upload a new certificate to the Workspace ONE UEM console first. This enables you to prepare new VPN profiles configured for Tunnel before rotating the certificate on the server.

To prepare the end-user devices for rotation, you must add a new version of the VPN profiles configured for VMware Tunnel. The new profile version contains the new public SSL certificate. Before rotating the server certificate, you must push the new profile version to devices.

When the certificate is close to expiring or is compromised, the UEM console notifies the user and you can activate the new public SSL certificate to trigger the rotation and maintain the service. After you activate the certificate, Tunnel server requires clients to have the new certificate to authenticate.

Rotate the Public SSL Certificate

Configure VMware Tunnel to rotate public SSL certificates to maintain the end-user service experience. Tunnel only supports rotating public SSL certificates. For immediate certificate rotation, your front-end and back-end servers must be able to communicate with AWCM (VMware AirWatch Cloud Messaging). Otherwise, the rotation might take up to four hours.


The certificate should be saved in the API settings on the front-end UAG Admin page.

Shows where to locate the Server Authentication within the UEM Console.
  1. From the UEM console, go to Groups & Settings > Configurations > Tunnel.

  2. Select Edit to change the configuration settings.

  3. In the Server Authentication section, you can configure the Third-Party SSL Certificate. This will secure the client-server communication from the enabled application on a device to the Tunnel. By default, this setup uses an AirWatch certificate for secure server-client communication.

    1. Select Third Party option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the Tunnel server.

    2. Select Add Certificate to upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.

  4. Select Save to add the certificate to the database.

  5. In the UEM console, publish a new version of your VPN profiles configured for Tunnel to devices.

    After all the end-user devices have a new profile version, select Activate Certificate to use the new certificate. As a best practice, VMware recommends deleting any unused or expired certificates from the VMware Tunnel configuration. You can click Delete for a particular certificate record to delete any unused or expired certificates.

AirWatch Server Authentication Certificate Expiration and Rotation

At times, the AirWatch Server Certificate will expire and require you to rotate it. Regenerating the Tunnel certificate will remove the existing trust Tunnel uses for authentication. You will need to deploy updated profiles after this action.

To rotate the certificate, go into your Workspace ONE UEM console.
  1. Go to Tunnel Configuration.
  2. Click Edit.
  3. Now under the Server Authentication section you should see Regenerate.
  4. Click Regenerate. This will open a dialog box. After reviewing the message, click OK.