How to replace the SSL certificate on an AWCM server
The SSL certificate used by the AWCM application can be replaced in two ways. You can manually update the java key store using keytool commands, or you can reinstall the AWCM application component with the new certificate.
Note: The password with which the new certificate is exported, needs to match the password with which the old certificate was exported. Moreover, this password is also the keystore password.
- Log into the AWCM server in question.
- Open a command prompt, and navigate to the AWCM config directory (C:\AirWatch\AirWatch<version>\AWCM\config by default) and run the following:
keytool -list -v -keystore awcm.keystore
- Type in the password when prompted (make a note of the password, the new awcm.keystore file needs to use the same password).
- Export the new SSL certificate from the appropriate 3rd party CA (or local CA for certain On-Premises deployments), and make sure the full signing chain is exported. Additionally, make sure that the password used to export is the same as the one used for the current awcm.keystore, otherwise the import will succeed but when AWCM starts an error message below will appear and the status page will refuse to load (as the pre-configured password will be incorrect and the AWCM app will not be able to open the keystore).
- Copy the certificate into the AWCM config directory (C:\AirWatch\AirWatch<version>\AWCM\config by default).
- Run the following command to replace SSL cert on AWCM servers:
keytool -importkeystore -srckeystore <new-pfx-cert-name>.pfx -srcstoretype
pkcs12 -destkeystore awcm.keystore.new -deststoretype JKS
- Once this has completed successfully, you will now see a new file named keystore.new in the config directory.
- Stop the AWCM service.
- Rename the keystore to awcm.keystore.old.
- Rename the keystore.new to awcm.keystore.
- Start the AWCM service.
- Using a valid AWCM url, try to hit the page (https://<External_AWCM_URL>/awcm/statistics) and if the status page loads then check the certificate details. It should now display the values for the newly uploaded cert.
- If the status page fails to load, check the log files.
- If rollback is required, rename the keystore to awcm.keystore.new Then, rename awcm.keystore.old to awcm.keystore and restart AWCM. This will restore the previous settings.
AWCM reinstallation method
- Obtain the full chain (.pfx or .p12) of your renewed SSL certificate.
- If your AWCM is shared with other AirWatch components, then on the server where they are all installed, navigate to Programs and Features (Add/Remove Programs), locate AirWatch, and select Change. Then select Add/Remove AirWatch features and proceed to step 4.
- If you installed AWCM on a standalone server, then:
- Obtain the full AirWatch installer that corresponds to the current Workspace ONE UEM version your environment is running and copy it to the server AWCM is on. If you kept your last-used installer, you can use it. Otherwise, contact Workspace ONE Support to receive the installer for your specific AirWatch version.
- Run the installer on the server where AWCM is installed. Important: Depending on which components are installed on your server with AWCM, you could experience disruptions in service or functionality during the re-installation process. Refer to the VMware AirWatch Upgrade Guide for more details on stopping and restarting services.
- During installation, on the AirWatch Features screen, right-click AirWatch Cloud Messaging and select This feature will not be available. Proceed with the remainder of the installation to completion.
- If your AWCM is shared with other AirWatch components, then once again navigate to Programs and Features and select Change for the AirWatch application. Then select Add/Remove AirWatch features and skip the next step.
- If your AWCM is installed as a standalone server, then run the installer again.
- On the AirWatch Features screen, right-click AirWatch Cloud Messaging and select This feature will be installed on the local hard drive. Proceed with the installation until you reach the AWCM server settings screen with the Use custom SSL certificate? check box.
- Browse to the location of the full chain (.pfx or .p12) of your renewed SSL certificate.
- Enter the certificate password and select Next. Proceed with the remainder of the installation to completion.
Other Languages: 日本語