Configuring an Enterprise Certificate Authority

This module will walk through the configuration of a newly installed Enterprise Certificate Authority for use with Workspace ONE UEM as well as how to integrate the Certificate Authority on your domain with Workspace ONE UEM SaaS services using the VMware Enterprise Systems Connector.

1. Configure the Certificate Authority

The first step in this process is to prepare your Certificate Authority, create a template for use with Workspace ONE UEM and assign security permissions to allow a service account to make requests to the CA. If you already have a PKI in your enterprise, Workspace ONE UEM can seamlessly connect with your current infrastructure.

For this lab, the Certificate Authority has already been configured for you.  To better learn and understand the configurations made to integrate the Certificate Authority with Workspace ONE UEM, you can choose between watching a demo video on how to configure the Certificate Authority, or you can practice the steps hands-on using a local Certificate Authority.  

  • If you wish to watch a demo video, click here.
  • If you wish to step through a hands-on example using a local Certificate Authority, click here.

2. Watch a Certificate Authority Configuration Demo

NOTE - You may need to scroll to the right to view the full screen button on the video above.
NOTE - The video contains no sound.  Please note the subtitles for details the installation process.

The embedded video will showcase the configurations to the Certificate Authority used for this lab to integrate with Workspace ONE UEM.  After finishing the video, click here to continue.

3. Configure an Example Certificate Authority

In this section, you will utilize a local Certificate Authority provided to better learn how to configure the Certificate Authority to interact with Workspace ONE UEM.

NOTE - The Certificate Authority that this lab accesses to issue certificates has already been configured, you are only editing a local Certificate Authority that will not impact the ability to issue certificates for this lab.

3.1. Opening the Microsoft Certificate Authority Application

Opening the Microsoft Certificate Authority Application

On the Main Console server, double-click the Certification Authority shortcut on the desktop.

3.2. Getting the Certificate Authority Server Name

Getting the Certificate Authority Server Name

The first item that you will need when integrating Workspace ONE UEM to ADCS is the name of CA. The name of the instance is the top most attribute on the configuration screen, in this case it is CONTROLCENTER-CA as we have already pre-configured it to be a Certificate Authority.

Navigate to Properties of CA
  1. Right click on CONTROLCENTER-CA.
  2. Click on Properties.

3.4. Configure Security

Configure Security
  1. Click Security
  2. Click Add

3.5. Add the Imaservice account

Add the Imaservice account
  1. Type imaservice in the Enter the object names to select embedded window.
  2. Click the Check Names button to validate.
  3. If no errors appear, click the OK button to add the IMASERVICE user account.

3.6. Set the IMASERVICE Account Permissions

Set the IMASERVICE Account Permissions

After completing the previous step to add the IMASERVICE user to the CONTROLCENTER-CA Properties permissions, you need to modify the permissions to allow the user to issue, manage, and request certificates.

  1. Click on the ima service ([email protected]) user in the Group or user names embedded window.
  2. In the Permissions for Authenticated Users check box. ensure the Request Certificates box is checked.
  3. Check the Issue and Manage Certificates box.
  4. Click the OK button.

3.7. Manage Certificate Templates

Manage Certificate Templates

Now you will create a new certificate template for use with Workspace ONE UEM. In order to do so, you need to open the Manage Certificate Templates menu.

  1. In the left pane, click on CONTROLCENTER-CA to select it.
  2. Right-click on the Certificate Templates folder to bring up the context menu.
  3. Select Manage. This will open a new MMC Snap-in window titled Certificate Templates Console.

3.8. Duplicate the Certificate Template

Duplicate the Certificate Template

The Certificate Templates Console window displays.

  1. In Template Display Name column, scroll down and select the User template.
  2. Right-click on the User template.
  3. From the context menu, select Duplicate Template.

NOTE - This duplicate certificate template will be used by Workspace ONE UEM. The template you choose depends on the function being configured in Workspace ONE UEM. For example, for Wi-Fi, VPN, or Exchange Active Sync (EAS) client authentication you would select the CEP Encryption template instead.

3.9. Define New Certificate Template Settings

Define New Certificate Template Settings

The Duplicate Template dialog box displays.

  1. Click on the General tab.
  2. In the Template display name field, type the name of the template that will display to users. For this lab, type Mobile User.
  3. The Template name field auto-fills with the same name as above, only without spaces. For this lab, leave it as MobileUser.
  4. Un-check the Publish certificate in Active Directory checkbox.
  5. Click OK.

3.10. Open the Mobile User Template Properties

Open the Mobile User Template Properties
  1. Right click on the new template Mobile User which was just created
  2. Select Properties from the context menu. The Mobile Users Properties window will appear.

3.11. Edit the Security of Mobile User Template

Edit the Security of Mobile User Template
  1. Select the Security tab in the Mobile User Properties window.
  2. Click the Add... button below the embedded Group or user names window. The "Select Users, Computers, Service Accounts, or Groups" dialog box displays.

3.12. Add the account Imaservice

Add the account Imaservice
  1. Type the previously created user service account IMASERVICE in the Enter the object names to select embedded window.
  2. Click the Check Names button to verify the account was typed correctly. If typed correctly, you will see it change to ima service ([email protected]).
  3. Click the OK button on the Select Users, Computers, Service Accounts, or Groups dialog box.

3.13. Apply Read and Enroll permissions

Apply Read and Enroll permissions
  1. Back on the Mobile User Properties window, select the ima service ([email protected]) user account.
  2. In the Permissions for ima service embedded window, ensure the Allow checkbox for Read permissions is selected.
  3. In the Permissions for ima service embedded window, click the Allow checkbox for Enroll permissions to enable it.
  4. Click the Apply button. DO NOT click OK yet.

3.14. Configure Subject Name Properties

Configure Subject Name Properties
  1. Select the Subject Name tab in the Mobile User Properties window.
  2. Select the Supply in the request radio button.
  3. Click the OK button on the Certificates Templates prompt.
  4. Click the OK button on the Mobile User Properties window.

3.15. Close the Certificate Template Console

Close the Certificate Template Console

Close the Certificate Template Console by clicking on X sign.

3.16. Add new certificate template to issue

Add new certificate template to issue

Switch back to the CERTSRV - Certificate Authority window shown in this step.

In the left window pane, single click to select the Certificate Template folder.

  1. Click on the twisty to expand options for CA.
  2. Right click the Certificate Template folder
  3. Select New in the context menu which appears.
  4. Click on Certificate Template to Issue which appears to the right of New.

3.17. Enabling the Mobile User Certificate Template

Enabling the Mobile User Certificate Template
  1. In the Enable Certificates Templates dialog box, select the name of the certificate template - in this case, Mobile User - which you previously created.
  2. Click the OK button.

3.18. Accept the Updating Template Prompt (IF NEEDED)

If you see a prompt for Updating Templates, click Yes to continue.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.