It is not complicated to deploy certificates from a Active Directory Certificate Services (ADCS) to a Workspace One managed client.

First of all you need a running Certification Authority (CA). In my test environment I use a single enterprise CA. In the real world you will have a two or three tier CA environment but the precedence is the same like in my example.

To deploy certificates it is necessary to have an active AirWatch Cloud Connector (ACC) running. The connector is used for requesting the certificates and sent them to Workspace One.

Network requirements

Following  Ports must be opened between the CA and the ACC:

  • Port 135: Microsoft DCOM Service Control Manager
  • Ports 1025 – 5000: Default ports DCOM processes
  • Ports 49152 – 65535: Dynamic Ports

If you changed the default ports, you need to open – of cause – your custom ports. 

Create AD User for certificate request

Also it makes sense to create an dedicated AD User for the requests. So I created a user with the username: SRV_WSOCA. This user is just a default AD user without any special rights. 

Configure CA

On the CA-Site we need to add this user to the CA Security. So navigate to you CA Server and open the certsrv MMC (or open a MMC and add the Certification Authority Snap-in). Open the Properties of the Server and navigate to the Security Tab.

On the Security Tab click add and search for your Service Account you created before (so in my example SRV_WSOCA

Chose the following permissions for the user:


“Grant Read”, “Issue and Manage Certificates” and “Request Certificates” permissions 

Configure Workspace One settings

So if we installed ADCS and the ACC we can configure the Settings in the Workspace One console.

Navigate to All Settings and then

System -> Enterprise Integration -> Certificate Authorities

Then click the “ADD” button.

You can decide a Name you want. I chose myws1-EnterpriseCA.

Server Hostname is the FQDN of the CA Server.

Authority Name is the name of the CA. You can find the Authority Name in the Certification Authority MMC:

We choose the Service Accout we created in the steps before.

After we finished all the required settings, we can test the connection.

The ACC will try to connect to the CA with the entered data. When the test was successful we can save the setting.

Create a Certificate Template

Jump back to the CA server (or the MMC) and open the Certificate Templates Console (right click on Certificate Template

We will deploy a User Certificate so we can use this certificate to single-sign on to the Workspace One app.

So scroll down to “User”, right click and choose “Duplicate Template”.

Open the “General” Tab and rename the Template. I chose “Workspace One User”.


Note that your “Template name” has no spaces. This “Template name” is the name we need to add in Workspace One.

Next, open the Subject Name Tab and change the radio button to “Supply in the request”

If other settings need to be changed, continue. Otherwise confirm the window with “OK”.

You should now see the “WorkspaceOne User” certificate template in the “Certificate Templates Console”.

You can add additional templates if needed, or you can close the window.

Back in the Certification Authority console right click on

Certificate Templates -> New -> Certificate Template to Issue

We need to “activate” the template that the CA can enroll certificates based on this template.

Now choose the new created certificate template “WorkspaceOne User” and click “OK”.

You should now see the certificate template listed in the CA console.

Add the certificate template to Workspace One

Now go back to the Workspace One settings page and open the following setting:
System -> Enterprise Integration -> Certificate Authorities

There open the “Request Templates” tab and click on the “ADD” button.

Fill out the Name, Description and choose the CA. The Issuing Template Name is Certificate Template name (remember the Name without spaces).

Choose if you need Signing, Encryption or both and review the optional settings.

Save the template settings if you finished them.

You can now close the settings page and navigate to

Devices -> Profiles & Resources -> Profiles

Create a new Profile for Windows -> Windows Desktop -> User Profile

Choose a name that fits in your other naming schema and a smart group.

Then open the credential tab and add new credentials.

Set the following settings:
Credential Source: Defined Certificate Authority

Certificate Authority: Choose you CA (in my Case myws1-EnterpriseCA)

Certificate Template: Choose the template (Workspace One User Certificate)

If you try to test the Certificate enrollment without a TPM required, change the Key Location.

Side Note:
“Passport” in the Key Location dropdown menu is Windows Hello. So, if you using Windows Hello for Business for user sign-in via biometrics, you can protect the certificate key via Hello for Business.

If you finished all settings, save and publish the profile.

If we configured everything successfully, we should now see a certificate for our user in the “Personal” store. (open MMC -> Add/remove Snap-in -> Certificate -> User)

Also, you can see the issued certificates in the Certification Authority console.

You will see, that the requester name is not the user himself, but the Service Account we used for the connection between Workspace One and the ADCS.

Please follow and like us:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *