Setting up a 3rd Party CA with Workspace ONE in your Lab Environment

If you are looking at doing Certificate-Based Authentication in Workspace ONE, we always recommend you setup a 3rd Party Certificate Authority. Although Workspace ONE UEM does provide an internal CA, it may not provide the flexibility you require to meet all your requirements.

In this blog, we are going to walk through configuring Active Directory Certificate Services (ADCS) with your Workspace ONE UEM & Workspace ONE Access environments. I will be using the Distributed Component Object Model (DCOM) remote protocol for integration. These instructions are specific to a lab environment. Production environments will have tighter controls, especially around service accounts and template settings.

This blog assumes that you already have Active Directory Certificate Services already installed and configured.

Disclaimer: These instructions will guide you through the process of setting up your CA in a lab environment. Please consult professional services for anything on production.

A Workspace ONE UEM Cloud Connector is required for this configuration.

Creating a Service Account

  1. Open Active Directory Users and Computers and create a new user account that will be used by Workspace ONE UEM to Issue/Renew Certificates.
  2. In Administrative Tools, launch Certification Authority
  3. Right Click on your CA and Click Properties
  1. Click on the Security Tab -> Add
  2. Select the Service Account you just created
  3. Select the permissions “Issue and Manage Certificates” and “Request Certificates”
  1. Click OK

Creating a Certificate Template

  1. In Certification Authority, right click on Certificate Templates and Click Manage
  1. Locate the “User” template and Right mouse and Select Duplicate Template
  1. Provide a Name for the Certificate (Don’t use any spaces in the template name) and uncheck “Publish Certificate in Active Directory”
    Note: If this box was checked, certificates will be created in the service account used to enroll certs.
  1. Click OK
  2. Right mouse on the new template and click Properties
  3. Go to the Security Tab and assign the service account the ‘Read’ and ‘Enroll’ permissions
  1. Click Subject Name Tab and Select “Supply in the Request”
  2. Select OK to the Warning and Click OK again.
  1. Go back to the Certificate Authority Application
  2. Right mouse Certification Templates and Click New -> Certificate Template to Issue
  1. Select your new certificate template and Click OK

Export your Root CA Public Certificate

  1. Open the Certification Authority App (from Windows Administration Tools)
  2. Right click on your CA and Click Properties
  1. Click View Properties
  2. Click on the View certificate
  3. Click Details and Export to File
  4. Follow the Certificate Export Wizard using Base-64 Encoded format to export your root CA.
  5. Save this file locally as we’ll need this to upload to Workspace ONE Access later.

Creating a New Certificate Authority in Workspace ONE UEM

Note: You will need an installed Workspace ONE UEM Cloud Connector. Verify your connector can be reached by Workspace ONE UEM:

  1. In the Workspace ONE UEM Administration Console, go to Devices -> Certificates -> Certificate Authorities
  1. Click Add
  2. Provide a Name and Description
  3. Provide the hostname to reach your certificate server.
  4. Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority)
  5. Enter your username of the service account and password
  6. Click Test Connection.
  1. Click Save

Creating a New Certificate Template in Workspace ONE UEM

  1. Click on the Request Templates Tab in Certificate Authorities (Workspace ONE UEM Administration Console, go to Devices -> Certificates -> Certificate Authorities)
  2. Click Add
  3. Provide a Name for the Template
  4. Select your Certificate Authority which you just created
  5. Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.
  6. Select the Subject Name. In my environment, I’m going to use the UPN as the subject name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match to the correct user.
  7. Select the correct private key length (per your CA settings)
  8. Select both Signing and Encryption
  9. Under SAN, add the following:
    1. Email Address -> {EmailAddress}
    2. User Principal Name -> {UserPrincipalName}
    3. DNS Name -> UDID={DeviceUid}
  1. Select Automatic Certificate Renewal
  2. Select Name Certificate Revocation
  3. Click Save

Creating your Device Profile

  1. Click on Resources -> Profiles & Baselines -> Profiles
  2. Click Add -> Add Profile
  3. Select the Platform for this profile
  4. Depending on the platform, select User or Device Profile (Make sure there is a tab for “Credentials” on the platform).
  5. Provide a Name and Assign a Smart Group
  6. Click the Credentials Tab
  7. Select Defined Certificate Authority
  8. Select your CA
  9. Selected your Template
  1. Click Save and Publish

Configuring Workspace ONE Access

  1. In the Workspace ONE Access administration console, go to Identity & Access Management -> Authentication Methods.
    If you previously ran the Workspace ONE UEM Wizards, the “Certificate (cloud deployment)” Authentication Method might already be enabled. If this already enabled, we are going to need to delete the uploaded CA’s and replace with the your Root CA Certificate from ADCS.
  2. Click the Pencil icon beside Certificate (cloud deployment)
  3. Click Enable
  4. Click Select File and upload your root CA Certificate.
  5. In the User Identifier Search box, select the correct search order:
Certificate AttributeAttribute in Workspace ONE Access
Subject Username
SAN Attribute: Principal NameUser Principal Name
SAN Attribute Email (RFC822 Name)Email
Note: I tested using CN in subject however per the documentation, UID should work as well.
  1. Optional – If you want to limit which certificates are allowed you can use the Certificate Policies Accepted field. Please note that this value is referring to Certificate Issuance Policies and NOT application policies (such as Client Authentication).
    1. In your ADCS environment, on your certificate template, click on the Extensions Tab and then click edit for “Issuance Policies”.

Select or Create a New Issuance Policy

Click OK and Edit the Policy

Copy the full Object Identifier (yes it might be a really long value) and Paste this value into Workspace ONE Access.

  1. Scroll down and click Save.

9 thoughts on “Setting up a 3rd Party CA with Workspace ONE in your Lab Environment

  1. have you tested the renewal process? also this is missing that the service account used for the certificate requests need to have “Impersonate a client Authentication” access on the WS Gateway server.


  2. Thank you for this detailed step by step guide. I’m curious to know which permissions has the “Domain Users” group on the certificate template.


  3. Hi ) i’m struggling with an issue on our WorkspaceOne : we have create a Certificate template for mac users that should authenticate on a Cisco ISE. We have found that Macbook are recognised as user and not as machine ( on certificate template on Subject Name field we have specified CN=XX-{DeviceSerialNumber}.domain ) . It appears correctly on the Certify but as i told before Cisco ISE recognise Macbook as user. maybe informations on Subject Name field should be always included on betweens braces?

    Example :


    Do you have any ideas? thanks for support


    1. It’s sounds like you are using the wrong template in UEM. Most documentation in WS1 are for user templates. You will need the correct template that Cisco is looking for.


  4. Thanks for reply, certificate seems correctly compiled and filled with same informations that we found on certificate used by Windows pc . i will try to find what Cisco is expecting on a certificate


  5. Hi Steve, thanks for a lot of very useful tutorials.
    You mentioned at beginning of this article that we can use internal CA of Workspace ONE UEM.
    I’m struggling to find documentation how to actually use it, setup it etc…
    Can you help me regarding that?


    1. There really is no configuration of the CA within UEM. When you integrate UEM with Workspace ONE using the wizards (I have a getting started blog) it will create all the certificate templates in UEM and configure Access with everything you need.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s