SSL Signing Certificates: Expiration & Renewal


A digital signing certificate is used to indicate that information sent from a server to a client has been verified by a trusted source.  The Certificate Authority that issues the certificate verifies the business in question and the ownership of the domain to confirm that the site in question is legitimate.  Using this same approach, AirWatch administrators can choose to apply a signing certificate to profiles that are issued to devices in order to confirm that they are coming from a legitimate source. 

If a valid SSL certificate is used to sign profiles, then end users will see that the MDM profile has been verified by a trusted source when asked to install, as shown in the image on the left below.  If an expired or otherwise invalid SSL certificate is used, then the profile will show as Not Verified instead.  In this case, the client cannot be sure that the profile was sent by the server directly.  If no certificate is used at all, then the profile will simply show as unsigned. 

IosVerified.png   IosNotVerified.png


Signing Profiles in AirWatch

In order to sign iOS profile in AirWatch, a valid SSL certificate must be uploaded to the console.  If required, this certificate can be overridden on a per-location group basis.  Navigate to Devices > Settings > Apple > Profiles, and check the box that says “Sign Profiles (Requires Server SSL Cert).”  Here, you will be asked to upload the certificate, and the AirWatch console will report the certificate thumbprint, validity dates, and information about who the certificate was issued by and to.  

This is typically configured at your highest Organization Group level so that it applies to all potential profiles. Once a certificate is configured, all iOS profiles, including the MDM profile itself, will be signed and verified when they are pushed to devices.  During the installations and updates of profiles, the Verified indicator will demonstrate that the profile installation request was initiated from a trusted source. 




Typically, SSL certificates are valid for one to five years.  During this time, all profiles will show as verified during installations, and all profiles that are currently installed using the signing certificate will continue to show as Verified on the device.  If the certificate expires, then all new profile installations (including enrollment) will show that the profiles are not verified.  In addition, profiles that are currently installed on the device will now show as not verified.  In order to verify any new profile installations as from a trusted source, a new or renewed SSL certificate must be uploaded the AirWatch console.

AirWatch will help notify you of an upcoming expiration by displaying a message in the Admin Console. 


Impact of Expiration

Expiration has no functional impact on the behavior of installed profiles. Profiles originally signed with a now expired certificate will continue to function as they always have. 

On iOS devices the installed profile is tied to the signing certificate that was originally installed with. Thus, profiles currently installed on the device will show as Not Verified if viewed from the device settings.  Even so, once the profile is installed on the device, it no longer plays a part in any network transactions unless the profile itself is updated and published to the device.  

Note: Even if the SSL signing certificate is renewed, profiles currently on enrolled devices will always display the certificate used when the profile was first installed.  Thus, existing profiles will show as Not Verified even after the signing cert is renewed.

In addition, a profile that has been installed using one signing certificate cannot be updated by a profile that uses a different signing certificate in older versions of the AirWatch console.  In essence, if a profile is already installed on a device, no changes can be made to the profile on that device once a new SSL certificate has been configured in the console.  The iOS device will notice the signature mismatch and refuse the installation of the updated profile.  Instead, the older profile must first be removed from the device, and then the updated profile can be installed using the new signing certificate.

Introduced in the 6.3 version of AirWatch is a mechanism that will use the profile information stored in the database to guarantee all profiles are pushed with the correct signing certificate. With this mechanism, a history of all uploaded certificates is stored on the server, and the console will determine the correct certificate to use to sign each profile for each device on a case-by-case basis.  With this feature, it is no longer necessary to remove and then push profiles in order to implement changes after a signing certificate update.



To renew your certificate please follow the process outlined by your certificate vendor. For instance, if you have purchased an SSL certificate from GoDaddy please follow their procedures for obtaining a new one. 

Once you have the new certificate you can upload it to AirWatch from the page above (System Settings > Device > iOS > Profiles). 

  1. Click the Replace button
  2. Then proceed to upload your new certificate.  

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.