Integrating Certificate Authority and Workspace ONE UEM
In this steps you will integrate Microsoft CA with Workspace ONE UEM, and configure the Certificate Template to be requested by VMware Browser.
This integration is required for a couple reasons:
- Workspace ONE UEM will be requesting and delivering the User Certificate on the user device, fully automated.
- Workspace ONE UEM will revoke the certificate when the device is unenrolled.
- VMware Browser when accessing the Internal Website needs to present to the Unified Access Gateway the User Certificate to initiate the validation process and transformation of the request to Kerberos.
1. Add Certificate Authority to Workspace ONE UEM
- Click Certificate Authorities under Enterprise Integration.
- Click Add under the Certificate Authorities tab.
2. Configure Certificate Authority
- Enter
CONTROLCENTER CA
- Select Microsoft ADCS
- Select ADCS
- Enter
controlcenter.corp.local
for Server Hostname - Enter
corp-CONTROLCENTER-CA
for Authority Name - Enter
corp\imaservice
for User name - Enter
VMware1!
for Password - Enter
VMware1!
for Confirm Password - Click Test Connection. A "Test is successful" message will appear on the top.
- Click Save and Add Template
3. Add Certificate Template
In this step you will add the certificate template that associates the certificate authority used to generate the user's certificate.
The properties of this certificate template must match the template defined on the CA, otherwise user won't be able to authenticate later using the Certificate.
- For the Name of Template enter any unique name of your preference.
- Select CONTROLCENTER CA for Certificate Authority
- Enter
certificatetemplate:MobileUser
for Issuing Template - Enter
CN={EnrollmentUser}
for Subject Name - Select
2048
for Private Key Length - Select both the Signing and Encryption options for Private Key Type
- Add SAN Type as Email Address and
{Email Address}
- Add a second SAN Type as User Principal Name and
{UserPrincipalName}
- Select Enable Certificate Revocation
- Click Save
4. Confirm the Certificate Authority was created
- Click the Certificate Authorities tab.
- Click Refresh if needed.
- Confirm the CONTROLCENTER CA Certificate Authority was added.
5. Validating the Certificate Template
There are several ways to validate the Certificate Template available on Microsoft CA, when using Enterprise Microsoft CA you just need open the Certificate Authority and you will see a folder named Certificate Template, when using Standalone CA, our case in this lab, you can use mmc.exe to see the list of templates.
To facilitate, we added a shortcut on the Task Bar of your Desktop that launch a MMC instance with the Certificate Templates already added as Snap-in
Click the MMC shortcut from the task bar.
5.1. Select MobileUser Template
- Click Certificate Templates
- Right-Click on Mobile User Template
- Click Properties
On the following steps will show you where to locate on the template some of the attributes that you defined on the Template in Workspace ONE UEM Console.
5.1.1. Validating Template Name
- Click the General tab.
- Validate that the Template name is MobileUser.
5.1.2. Validating Private Key Type
- Click the Request Handling tab.
- Confirm the Purpose is set to Signature and encryption.
5.1.3. Validating Private Key Length
- Click the Cryptography tab.
- Ensure the Minimum key size is 2048.
5.1.4. Validating Subject Name request
- Click the Subject Name tab.
- Ensure Supply in the request is selected.