Workspace ONE UEM Code Signing


The server code for Workspace ONE UEM is digitally signed with a code signing certificate to ensure the code is the same when it is delivered as it was when it was signed.  The Windows operating system verifies the code singing certificate via several methods including a certificate revocation list (CRL) check.

Our code signing certificate was updated in February of 2018 and it is now provided by DigiCert (the previous code signing cert was provided by Symantec).  Workspace ONE UEM Console 9.3+ and patch releases since February of 2018 are leveraging the cert from DigiCert.


Customer Impact

This applies to all.NET based Windows server components which include Workspace ONE UEM servers (console, device services, device management, API, self-service portal) as well as the ancillary components (ACC, SEG v1 (.NET), Content Gateway (.NET), ENS v1 and v2, Pull Service (.NET), Factory Provisioning Service). If you are not experiencing issues related to Windows services or the IIS web applications starting, there are no actions needed.

Customers will need to make sure the root and intermediate DigiCert certificates are in the computer account of the server’s trusted root and intermediate certificates authorities. 

Access to the CRL URL will also need to be made available. 

DigiCert Assured ID Root CA (Root certificate):

DigiCert SHA2 Assured ID Code Signing CA (Intermediate certificate):


What happens if the above certificates are not present in the certificate authorities or if access is not granted to the CRL URLs?

  • Windows services will fail to start after a timeout period (Windows default is 30 seconds)
  • Web applications will fail to load


Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE  portal or call your local support line.


Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.