Setting up a 3rd Party CA with Workspace ONE in your Lab Environment

If you are looking at doing Certificate-Based Authentication in Workspace ONE, we always recommend you setup a 3rd Party Certificate Authority. Although Workspace ONE UEM does provide an internal CA, it may not provide the flexibility you require to meet all your requirements.

In this blog, we are going to walk through configuring Active Directory Certificate Services (ADCS) with your Workspace ONE UEM & Workspace ONE Access environments. I will be using the Distributed Component Object Model (DCOM) remote protocol for integration. These instructions are specific to a lab environment. Production environments will have tighter controls, especially around service accounts and template settings.

This blog assumes that you already have Active Directory Certificate Services already installed and configured.

Disclaimer: These instructions will guide you through the process of setting up your CA in a lab environment. Please consult professional services for anything on production.

A Workspace ONE UEM Cloud Connector is required for this configuration.

Creating a Service Account

  1. Open Active Directory Users and Computers and create a new user account that will be used by Workspace ONE UEM to Issue/Renew Certificates.
  2. In Administrative Tools, launch Certification Authority
  3. Right Click on your CA and Click Properties
  1. Click on the Security Tab -> Add
  2. Select the Service Account you just created
  3. Select the permissions “Issue and Manage Certificates” and “Request Certificates”
  1. Click OK

Creating a Certificate Template

  1. In Certification Authority, right click on Certificate Templates and Click Manage
  1. Locate the “User” template and Right mouse and Select Duplicate Template
  1. Provide a Name for the Certificate (Don’t use any spaces in the template name) and uncheck “Publish Certificate in Active Directory”
    Note: If this box was checked, certificates will be created in the service account used to enroll certs.
  1. Click OK
  2. Right mouse on the new template and click Properties
  3. Go to the Security Tab and assign the service account the ‘Read’ and ‘Enroll’ permissions
  1. Click Subject Name Tab and Select “Supply in the Request”
  2. Select OK to the Warning and Click OK again.
  1. Go back to the Certificate Authority Application
  2. Right mouse Certification Templates and Click New -> Certificate Template to Issue
  1. Select your new certificate template and Click OK

Export your Root CA Public Certificate

  1. Open the Certification Authority App (from Windows Administration Tools)
  2. Right click on your CA and Click Properties
  1. Click View Properties
  2. Click on the View certificate
  3. Click Details and Export to File
  4. Follow the Certificate Export Wizard using Base-64 Encoded format to export your root CA.
  5. Save this file locally as we’ll need this to upload to Workspace ONE Access later.

Creating a New Certificate Authority in Workspace ONE UEM

Note: You will need an installed Workspace ONE UEM Cloud Connector. Verify your connector can be reached by Workspace ONE UEM:

  1. In the Workspace ONE UEM Administration Console, go to Devices -> Certificates -> Certificate Authorities
  1. Click Add
  2. Provide a Name and Description
  3. Provide the hostname to reach your certificate server.
  4. Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority)
  5. Enter your username of the service account and password
  6. Click Test Connection.
  1. Click Save

Creating a New Certificate Template in Workspace ONE UEM

  1. Click on the Request Templates Tab in Certificate Authorities (Workspace ONE UEM Administration Console, go to Devices -> Certificates -> Certificate Authorities)
  2. Click Add
  3. Provide a Name for the Template
  4. Select your Certificate Authority which you just created
  5. Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.
  6. Select the Subject Name. In my environment, I’m going to use the UPN as the subject name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match to the correct user.
  7. Select the correct private key length (per your CA settings)
  8. Select both Signing and Encryption
  9. Under SAN, add the following:
    1. Email Address -> {EmailAddress}
    2. User Principal Name -> {UserPrincipalName}
    3. DNS Name -> UDID={DeviceUid}
  1. Select Automatic Certificate Renewal
  2. Select Name Certificate Revocation
  3. Click Save

Creating your Device Profile

  1. Click on Resources -> Profiles & Baselines -> Profiles
  2. Click Add -> Add Profile
  3. Select the Platform for this profile
  4. Depending on the platform, select User or Device Profile (Make sure there is a tab for “Credentials” on the platform).
  5. Provide a Name and Assign a Smart Group
  6. Click the Credentials Tab
  7. Select Defined Certificate Authority
  8. Select your CA
  9. Selected your Template
  1. Click Save and Publish

Configuring Workspace ONE Access

  1. In the Workspace ONE Access administration console, go to Identity & Access Management -> Authentication Methods.
    If you previously ran the Workspace ONE UEM Wizards, the “Certificate (cloud deployment)” Authentication Method might already be enabled. If this already enabled, we are going to need to delete the uploaded CA’s and replace with the your Root CA Certificate from ADCS.
  2. Click the Pencil icon beside Certificate (cloud deployment)
  3. Click Enable
  4. Click Select File and upload your root CA Certificate.
  5. In the User Identifier Search box, select the correct search order:
Certificate AttributeAttribute in Workspace ONE Access
Subject Username
SAN Attribute: Principal NameUser Principal Name
SAN Attribute Email (RFC822 Name)Email
Note: I tested using CN in subject however per the documentation, UID should work as well.
  1. Scroll down and click Save.


One thought on “Setting up a 3rd Party CA with Workspace ONE in your Lab Environment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s