Integrating Certificate Authority and Workspace ONE UEM

In this steps you will integrate Microsoft CA with Workspace ONE UEM, and configure the Certificate Template to be requested by VMware Browser.

This integration is required for a couple reasons:

  1. Workspace ONE UEM will be requesting and delivering the User Certificate on the user device, fully automated.
  2. Workspace ONE UEM will revoke the certificate when the device is unenrolled.
  3. VMware Browser when accessing the Internal Website needs to present to the Unified Access Gateway the User Certificate to initiate the validation process and transformation of the request to Kerberos.

1. Add Certificate Authority to Workspace ONE UEM

  1. Click Certificate Authorities under Enterprise Integration.
  2. Click Add under the Certificate Authorities tab.

2. Configure Certificate Authority

Configure CA
  2. Select Microsoft ADCS
  3. Select ADCS
  4. Enter controlcenter.corp.local for Server Hostname
  5. Enter corp-CONTROLCENTER-CA for Authority Name
  6. Enter corp\imaservice for User name
  7. Enter VMware1! for Password
  8. Enter VMware1! for Confirm Password
  9. Click Test Connection. A "Test is successful" message will appear on the top.
  10. Click Save and Add Template

3. Add Certificate Template

In this step you will add the certificate template that associates the certificate authority used to generate the user's certificate.

The properties of this certificate template must match the template defined on the CA, otherwise user won't be able to authenticate later using the Certificate.

Configure Template
  1. For the Name of Template enter any unique name of your preference.
  2. Select CONTROLCENTER CA for Certificate Authority
  3. Enter certificatetemplate:MobileUser for Issuing Template
  4. Enter CN={EnrollmentUser} for Subject Name
  5. Select 2048 for Private Key Length
  6. Select both the Signing and Encryption options for Private Key Type
  7. Add SAN Type as Email Address and {Email Address}
  8. Add a second SAN Type as User Principal Name and {UserPrincipalName}
  9. Select Enable Certificate Revocation
  10. Click Save

4. Confirm the Certificate Authority was created

  1. Click the Certificate Authorities tab.
  2. Click Refresh if needed.
  3. Confirm the CONTROLCENTER CA Certificate Authority was added.

4.1. Confirm the Certificate Request Template was created

  1. Click the Request Templates tab.
  2. Click Refresh if needed.
  3. Confirm the MobileUserCertificate Request Template was added.

5. Validating the Certificate Template

There are several ways to validate the Certificate Template available on Microsoft CA, when using Enterprise Microsoft CA you just need open the Certificate Authority and you will see a folder named Certificate Template, when using Standalone CA, our case in this lab, you can use mmc.exe to see the list of templates.

To facilitate, we added a shortcut on the Task Bar of your Desktop that launch a MMC instance with the Certificate Templates already added as Snap-in


Launch MMC

Click the MMC shortcut from the task bar.

5.1. Select MobileUser Template

Open Template
  1. Click Certificate Templates
  2. Right-Click on Mobile User Template
  3. Click Properties

On the following steps will show you where to locate on the template some of the attributes that you defined on the Template in Workspace ONE UEM Console.

5.1.1. Validating Template Name

Template Name
  1. Click the General tab.
  2. Validate that the Template name is MobileUser.

5.1.2. Validating Private Key Type

  1. Click the Request Handling tab.
  2. Confirm the Purpose is set to Signature and encryption.

5.1.3. Validating Private Key Length

  1. Click the Cryptography tab.
  2. Ensure the Minimum key size is 2048.

5.1.4. Validating Subject Name request

  1. Click the Subject Name tab.
  2. Ensure Supply in the request is selected.