Updating Certificates for Workspace ONE UEM Services


The following is a general guide for renewing SSL, Signing, and APNs certificates for Workspace ONE UEM Services which include: Console, Device, Application Programming Interface (API), Email Notification Service version 2 (ENS2), Secure Email Gateway version 2 (SEG2), AirWatch Cloud Messaging and VMware Advanced Remote Management (ARM). Information regarding updating certificates for VMware Identity Manager (vIDM) services can be found here.


Public SSL Certificates

To renew your certificate for your Console server you must to obtain a public SSL certificate from a third-party certificate authority. When renewing this certificate, we recommend that the certificate in a .pfx format (the private key is bundled the certificate in this format).

If this certificate resides on the Load Balancer it will need to be on the Load Balancer as opposed to the Console server, the Device Services (DS) server, API server, ENS2 server, and AWCM server.
Note: The certificate needs to be updated for each data center. In the event that the certificate is not stored on the Load Balancer please see below.

Once you have acquired this certificate you will import it into the Microsoft management console on the server (MMC) into the personal store.


Steps to Update Public SSL Certificate for the Console server, the Device Services (DS) server, Application Programming Interface (API) server, and Email Notification Service server (ENS2):

  1. Launch the IIS
  2. Navigate to Default Websites
  3. Click on Server Certificates
  4. Select import on the right-hand side
  5. Import the certificate and allow for completion
  6. Click on website URL from default websites
  7. Click on bindings and select 443
  8. Select the new uploaded certificate from drop down
  9. Click OK
  10. Perform an IIS reset
  11. Access the Console/DS/API/ENS2 URL and click on view certificate details and verify that the certificate has been renewed


Steps to Update Public SSL Certificate for Secure Email Gateway version 2 (SEG2)

The certificate for SEG2 can be uploaded to the Console or to the local server during installation.
Note: Generally customers are encouraged to upload the certificate through the Workspace ONE UEM Console. During initial setup, customers will have a choice between the two options noted below. It is recommended that, once an option is selected, it is used for all future certificate updates.
Option 1: Updating the certificate in the Workspace ONE UEM Console 

Update the SSL certificate in the MEM configurations. Once this is completed the SEGv2 servers will pick up the new certificate upon the next restart of services. Services can be manually cycled to update this immediately.

  1. Navigate to the VMware Workspace ONE UEM Console
  2. Go to Groups & Settings > All Settings > Email > Configuration
  3. Select the configuration for the Secure Email Gateways which are to be updated by clicking the edit button (Pencil Icon)
  4. Verify your platform settings and click Next
  5. In the Deployment section, under Internal Settings upload the new certificate
  6. After the certificate has been uploaded, follow the rest of the Email Configuration Wizard and save the configuration

Option 2 updating the certificate locally on the SEG2 server by running the SEG installer:
Note: This method will require that the certificate is uploaded to each SEG server used in the UEM environment. Customers who have selected this method will not be able to use the first option for future certificate updates.

  1. Run the SEG v2 installer as an administrator
  2. Click Next
  3. Select the 'Modify' radio button and click Next
  4. The AirWatch API information should already be populated, verify if this information is correct and then click Next
  5. Enter the Outbound proxy information, if applicable
  6. On the next window, upload the 'new' certificate and the respective password, then click Next
  7. Click Install, it will run through the installation process and once complete, click on Finish to exit installer.


Steps to Update Public SSL Certificate for AWCM

If your Workspace ONE environment is deployed On-Premises with AWCM using an SSL certificate, AWCM must be updated once the SSL certificate expires in order to maintain functionality. Please follow the steps below to perform an update to the certificate. Keep in mind that depending on which Workspace ONE product suite components are installed on your environment, you could experience disruptions in service or functionality during the renewal process. The full chain of the renewed SSL certificate in .pfx or .p12 format is required to perform this renewal.

  1. On the server, navigate to Programs and Features (Add/Remove Programs)
  2. Select AirWatch and click Change
  3. Select the Add/Remove AirWatch features option and click Next
  4. Right-click AirWatch Cloud Messaging (AWCM) and click "This feature will not be available." from the context menu and proceed with the installer
    Note: If AWCM is the only UEM component installed on the server, this will uninstall all AWCM services.
  5. Return to Programs and Features (Add/Remove Programs)
  6. Select AirWatch and click Change
    Note: If AirWatch is not an available option in the window run the AWCM installer corresponding to the Workspace ONE version in your environment. If you no longer have access to your AWCM installer, reach out to the VMware Workspace ONE Team.
  7. Right-click AirWatch Cloud Messaging (AWCM) and click "This feature will be installed on local hard drive." from the context menu.
  8. Proceed through the installer to the AWCM server settings screen which includes the "Use customer SSL certificate?" check box
  9. Locate and select the full chain of your renewed SSL certificate.
  10. Enter your certificate password and proceed with the rest of the installation


Steps to Update Public SSL Certificate for Advanced Remote Management (ARM):

In order to renew a public SSL certificate for Advanced Remote Management you are required to create a Certificates Snap-in in the Microsoft Management Console (MMC), install the renewed certificate in the MMC, bind the site certificate to a website (Mgmtwebsite), and update the renewed site Thumbprint using Adminwebportal.

Creating a Certificates Snap-In in the MMC

  1. From the RM-server, click Start
  2. In the Search programs and files field, type mmc
  3. From the Programs list, click mmc.exe
  4. From the Microsoft Management Console (MMC), click File > Add/Remove Snap-in
  5. From the list of snap-ins, select Certificates
  6. Click Add
  7. Select Computer account
  8. Click Next
  9. Select Local computer (the computer this console is running on)
  10. Click Finish
  11. In the Add/Remove Snap-in window, click OK

Installing a renewed Certificate in the MMC

  1. In the Console Root pane, click on the Certificates (Local Computer)
  2. Expand the Personal Folder
  3. Right click Certificates
  4. Click All Tasks, select Import and click Next
  5. Click Browse and select the renewed certificate from the stored location
  6. Enter the site certificate password, select Place all certificates in the following store, and click Next

Binding the site certificate to a website

  1. Open the Internet Information Services (IIS) Manager Start>Run...>InetMgr.exe
  2. In the Connections pane, click on the server name, and expand the node
  3. In the Connections pane, click on the Site node and expand the selection
  4. To be rebound with the renewed certificate, Select Mgmt Web Site
  5. From the Actions pane, select Bindings
    This action will open the Site Bindings window
  6. In the Site Bindings window, select the binding with "https" and click Edit
  7. In the Edit Site Binding window, in the SSL certificate section, select the renewed certificate and click OK to confirm the selection

Update the renewed site Thumbprint using

  1. Copy the certificate Thumbprint and paste it into a text editor
  2. Delete the space between the key and copy the Thumbprint
  3. Log into the Admin web portal using your directory credentials
    Example: https://yourdomain.com/AdminWebPortal/Login.aspx
  4. Select Default Service Configuration
  5. In the search menu, search for certId
  6. In the Options pane, click Edit
  7. Update the renewed SSL certificate thumbprint and click Save
  8. Click Service Configuration
  9. Search for ConnectionProctorService
  10. For both Active and Inactive ConnectionProctorServices edit and update the :ctl.svc.cnp.tch/certid parameters value with the renewed SSL certificate thumbprint and click Save
  11. Click the Update button at the bottom of the page
  12. Restart all services (Core and IIS services)


Signing Certificates

To renew your certificate, please follow the process outlined by your certificate vendor. Once you have acquired the new certificate, please perform the following in the Workspace ONE UEM Console:

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Profiles
  2. Select Replace
  3. Upload the new certificate.

Note: Newly enrolled devices will display a Verified status on the MDM profile. Devices enrolled before this certificate is updated will display a status of Not Verified on the MDM profile. There is no difference in functionality. For further information, please refer to the SSL Signing Certificates: Expiration & Renewal article.


APNS Certificates

The certificate configuration page is located in the Workspace ONE UEM Console. The certificate is stored in the database and only needs to be completed once. For more information, please refer to the How to renew an APNs Certificate article.

To configure the APNs certificate please perform the following:

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM
  2. Complete the certificate request by following the Wizard in the Console.


Other Languages: 日本語


Have more questions? Submit a request


Article is closed for comments.