VMware Workspace ONE UEM powered by AirWatch
The product previously known as AirWatch is a device management solution by VMware, now rebranded as Workspace ONE Unified Endpoint Management (UEM).
Workspace ONE UEM is flexible with PKI integrations and is able to request certificates from either internal or external certificate authorities (CAs).
Workspace ONE UEM has a native, well-documented integration with EJBCA. For more information on how to configure the integration with EJBCA, refer to the VMware Workspace ONE UEM guide Certificate Authority Integrations.
Workspace ONE UEM and EJBCA scenario overview by VMware, Inc
Workspace ONE UEM and EJBCA Integration Notes
The following notes provide additional insights for configuring the integration with EJBCA, complementing the official documentation.
- EJBCA API URL: The URL configured in Workspace ONE is the URL to the EJBCA WS API endpoint, formatted as https://my-pki-server/ejbca/ejbcaws/ejbcaws.
- RA User Certificate: The RA user certificate used in the integration should be in
.pfx
format and must be imported into the local machine certificate store on the AirWatch Cloud Connector. - Access Rights: Ensure that the RA user certificate imported on the AirWatch Cloud Connector has the appropriate access rights in EJBCA Roles and Access Rules.
- TLS Authentication: EJBCA must be able to use the TLS connection client certificate authentication. If a load balancer is in place, configure it so that the TLS authentication is visible to EJBCA. For simplicity, you may verify that it works by terminating TLS in EJBCA and then exploring the different load balancer configurations. Alternatively, you can use a distributed RA to isolate the CA.
- CA Name Format: Avoid using spaces in EJBCA CA names, which may lead to a "CA not found" error in Workspace ONE. The CA name is an arbitrary identifier in EJBCA and can be customized as needed.