Configure Workspace ONE to issue certificates via API
This guide explains how to request certificates from DigiCert® Trust Lifecycle Manager for provisioning to end user devices within the Workspace ONE unified endpoint management (UEM) platform.
You will configure the REST API service for Trust Lifecycle Manager to integrate with Workspace ONE, using a mutual TLS (mTLS) certificate to authenticate requests.
The Workspace ONE integration supports issuance of both public and private DigiCert certificates from escrow-enabled certificate profiles you define in Trust Lifecycle Manager.
Workflow
To enable the Workspace ONE integration, complete these tasks in order.
| Task | Section |
|---|---|---|
1. | Verify the prerequisites in Trust Lifecycle Manager. | |
2. | Create an API service user and client authentication certificate in Trust Lifecycle Manager. | |
3. | Define the types of DigiCert certificates to issue from Trust Lifecycle Manager. | |
4. | Configure the DigiCert certificate authority, certificate request template(s), and enrollment profile(s) in Workspace ONE. | |
5. | Make sure the integration works by verifying that Workspace ONE-managed devices can get certificates from DigiCert. |
Before you begin
If you need help verifying these prerequisites in Trust Lifecycle Manager, contact your DigiCert system administrator or account representative.
You need at least one issuing CA accessible from your Trust Lifecycle Manager account. The Workspace ONE integration supports the following DigiCert CA services.
DigiCert CA service | Trust type | Required configuration |
|---|---|---|
Private | Private root and issuing CA set up in CA Manager. | |
Public | CertCentral connector set up in Trust Lifecycle Manager. |
Each certificate issued for a Workspace ONE-managed device consumes a User seat in Trust Lifecycle Manager.
You need available User seats in your Trust Lifecycle Manager account.
Make sure some of these seats are allocated to the business units in Trust Lifecycle Manager where you will issue certificates for Workspace ONE.
Enable API access to Trust Lifecycle Manager
To integrate with Workspace ONE, you need an API service user with a client authentication certificate. Sign in to the DigiCert® ONE platform to complete these steps.
To create a service user in DigiCert ONE:
Open the DigiCert ONE Managers (grid) menu on the top-right, and select Account.
In the Account Manager menu, select Access > Service User.
Select the Create service user button.
Enter the service user details.
For DigiCert ONE Manager access, select Trust Lifecycle.
Select Next
Under Roles and permissions for Trust Lifecycle Manager, select
User and certificate manager.You may select additional roles. DigiCert recommends following the principle of least privilege.
Select Add user to create the service user with the configured settings.
The Service user token ID window opens with the API token for the new service user.
Note: For the Workspace ONE integration, you do not need the API token. We will use an authentication certificate instead.
To dismiss the token ID popup window, select Close.
To create an authentication certificate for the new API service user in DigiCert ONE:
In the Account Manager menu, select Access > Service User.
In the table, select the name of the service user you created.
In the Client authentication certificates section, select the Create client authentication certificate button.
Enter the requested client authentication certificate settings, then select Generate certificate.
A popup window opens with the randomly generated password required to decrypt the PKCS12 file containing your authentication certificate.
Important: You will need this password to configure the integration in Workspace ONE.
Copy and save the password to a secure location.
After saving the password, select Download certificate to download the authentication certificate.
Follow the instructions in the popup window to save the PKCS12 certificate file to your computer.
Make note of the location where you save the file. You will need it when configuring the integration in Workspace ONE.
After saving the certificate, select Close to dismiss the popup window.
Create certificate profiles in Trust Lifecycle Manager
A certificate profile defines the issuing CA and general properties for a type of certificate you can issue in Trust Lifecycle Manager. Using a base template as the starting point, create a profile for each type of certificate you want to enroll from Workspace ONE.
Use one of the following base templates as the starting point when creating certificate profiles in Trust Lifecycle Manager for Workspace ONE-managed devices.
All templates support escrowing of issued certificates in DigiCert ONE.
Make sure you have User seats allocated to the business unit in Trust Lifecycle Manager where you will issue the certificates.
Template name | Trust type | DigiCert CA service |
|---|---|---|
| Private | CA Manager |
| Private | CA Manager |
| Private | CA Manager |
| Public | CertCentral |
To create an escrow-enabled certificate profile in Trust Lifecycle Manager to use with Workspace ONE:
In the Trust Lifecycle Manager menu, select Policies > Certificate profiles.
Select the Create profile from template button.
Select one of the templates from the Available base templates section as the basis for creating the certificate profile.
Follow the profile creation wizard, focusing on the Workspace ONE-related options described below and making other selections for your business needs.
For Primary options:
General information: Select the applicable business unit and issuing CA for the certificates.
Enrollment method: Select
REST API.Authentication method: Select
3rd Party app.
For Certificate options > Flow options:
Deselect the Allow duplicate certificates checkbox.
Enable DigiCert cloud key escrow and select the Deliver the escrowed certificate for matching enrollment requests checkbox.
For Advanced settings > Service User binding, select the service user you created for the Workspace ONE integration.
On the final profile creation wizard screen, select Create to save the new certificate profile.
Configure Workspace ONE
To request certificates from Trust Lifecycle Manager for Workspace ONE-managed devices, you need to enable the DigiCert certificate authority and configure the request settings for it. Sign in to the Workspace ONE platform to complete these steps.
To add the DigiCert certificate authority (CA) in Workspace ONE:
Navigate to Settings > Enterprise Integration > Certificate Authorities.
In the Certificates Authorities tab, select the Add button.
Configure the following settings:
Name: Enter a name to help identify the DigiCert CA service.
Authority type: Select
DigiCert.Server URL: Enter the client authentication URL for your DigiCert ONE environment.
For example, if you use the U.S. production environment of DigiCert ONE, enter
https://clientauth.one.digicert.comhere.Certificate: Upload the authentication certification you created for your API service user in DigiCert ONE:
Select Add > Choose file.
Navigate to the authentication certificate PKCS12 file you downloaded.
In the Certificate Password field, enter the password that you copied from DigiCert ONE for the certificate PKCS12 file.
Select Upload.
The completed Workspace ONE dialog should look similar to the following screenshot:
To test the configuration, select the TEST CONNECTION button. Address any issues.
To save the new CA record after a successful test, select SAVE.
To add a template in Workspace ONE for requesting certificates from DigiCert:
Navigate to Settings > Enterprise Integration > Certificate Authorities.
In the Request Templates tab, select the Add button.
Configure the following settings:
Name: Enter a name to help identify this certificate request template.
Certificate Authority: Select the DigiCert CA record you created.
When you select the CA, the Profile Name dropdown populates with the list of available certificate profiles for that CA.
Profile Name: Select one the certificate profiles you created in Trust Lifecycle Manager for issuing certificates for Workspace ONE-managed devices.
When you select the profile, the attributes table populates from the profile settings, including the source of each attribute's value.
The completed Workspace ONE dialog should look similar to the following screenshot:
Select SAVE to save the new certificate request template.
To add a profile in Workspace ONE for enrolling DigiCert certificates for end user devices:
Navigate to Resources > Profiles & Baselines > Profiles.
Select ADD.
Select the Platform for the applicable devices. For example, "Windows".
Select a Context for the certificate enrollment. For example, "User Profile".
In the General tab, configure the following settings:
Name: Enter a name to help identify this certificate enrollment profile.
Smart Groups: Select the device groups that will enroll certificates from this profile.
Make additional selections for your business needs. The completed tab should look similar to the following screenshot.
In the Credentials tab, configure the following settings:
Credential Source: Select
Defined Certificate Authority.Certificate Authority: Select the DigiCert CA record you created.
Certificate Template: Select one of the certificate request templates you created to issue certificates from Trust Lifecycle Manager.
The completed tab should look similar to the following screenshot.
Select SAVE AND PUBLISH to save the profile and trigger the certificate enrollment for the target devices.
Verify certificate enrollments
After requesting enrollment of a DigiCert certificate, verify the certificate got issued from Trust Lifecycle Manager and provisioned by Workspace ONE.
To view the issued certificate in Trust Lifecycle Manager:
Go to your Inventory page.
Use the view inventory functions to help locate the issued certificate. Applicable filters include:
Common name: Search by the certificate common name value.
Seat type: Select
User seat.Enrollment method: Select
REST API.Dica
If a column is not present in the inventory table, use the table settings on the top-right to add it.
(Optional) Once you find the certificate in the table, select the common name to view additional details about it.
To view the enrollment details in Workspace ONE:
Navigate to MONITOR > Events and Logs > Device Events.
The target device(s) for the enrollment should show
Certificate Issuedin the Event column.Select the event status link to view additional details about the enrollment.
Check the device itself to verify the certificate was installed there.
For example, on Windows devices, use the Certificate Manager application (certmgr.msc) to check for the DigiCert certificate under Certificates - Current User > Personal > Certificates.