FAQ: Certificate Management

What is a digital certificate?

Enterprise mobility requires access to e-mail, Wi-Fi, VPN, applications, etc., making devices vulnerable to theft. Because storing directory credentials puts the user’s identity at risk, certificates are a great option to providing device client authentication and encryption. A certificate uses a digital signature to bind a public key with an identity, demonstrating authenticity and keeping information protected.


What are the advantages of using certificates? 

  • Cross Platform Scalability
  • Multi Functionality (Encryption, Message Signing, Authentication)
  • High Security


What are the two ways that AirWatch integrates with the Certificate Infrastructure? 

  1. Direct Certificate Authority (CA)
  2. Simple Certificate Enrollment Protocol (SCEP)


What are the disadvantages of a SCEP only implementation? 

You are limited to only one certificate template.


Can AirWatch talk directly to my Enterprise CA? 

Yes, AirWatch can be configured to communicate to ADCS directly. The benefit of this method is that AirWatch can request multiple certificate templates from the CA ( such as one for WiFi, EAS, and VPN) instead of only one.


Can AirWatch automatically renew and revoke certificates? 

Yes, when a certificate has expired it will be automatically renewed.


In the Console, there is a field for Auto Renewal Period (days). How does this value relate to the value that is set in the CA settings? Does one override the other? Does the lesser of the two trigger first?

The setting in both cases is meant to determine the period within which a client attempts to auto-renews its certificate. The picture below will encourage Windows client computers to auto-renew their certificates within that specified period. However, AirWatch does not use this value when managing the device certificate's life cycle.

The certificate renewal period setting in the AirWatch console template section is what the AirWatch application will use as the threshold for renewal attempts when managing the life cycle of device certificates issued with that particular template.


What is required for certificate renewal/revocation?

EIS is required to do either of these (unless AirWatch is on-premise with direct CA integration).


Can EIS still be used On-Premise? 

As long as you have direct CA integration in your on premise environment you do not need EIS. This means that the AirWatch Device Services Server needs to be on the same domain as the CA.


Is EIS proxy aware for Microsoft ISA or Microsoft TMG?

Yes, EIS supports HTTP Authentication of traffic from a network reverse proxy of WAF ( such as Microsoft ISA of Forefront TMG).


Does EIS support a wildcard certificate? 

Yes, it does.


Does certificate auto- renewal work for both iOS and Android?  

Yes, it does.


Does certificate auto- renewal work with Microsoft nDES  at all?

Yes, if the AirWatch Device Services (DS) Servers are in the DMZ. Otherwise, if the DS Servers have direct integration with CA, use DCOM.


Does functionality require connectivity to an issuing CA? Can we use our existing issuing CA for this or do we need a dedicated server for AirWatch? 

You can use your existing CA.


In order for the certificate auto-renewal to work for our existing devices enrolled into AirWatch, do we need to re-enroll these devices or will the functionality be applied to these devices as-is? 

You should not have to re-enroll devices. However, devices may lose connectivity for these services during the certificate renewal.

Have more questions? Submit a request


Article is closed for comments.