Integrate EJBCA as a Certificate Authority in Workspace ONE UEM

/in , /by

Workspace ONE UEM has the ability to integrate with other Certificate Authorities (CA’s) to distribute and create user/device certificates. Examples of common CA’s are Microsoft ADCS, Generic SCEP, Symantec, GlobalSign, RSA and EJBCA.

One of my customers requested at their PKI department a system to talk with. They said we are running EJBCA instances, we could create a seperate CA for Workspace ONE UEM for you. Here is the *.p12 certificate and this is our PKI url.

To add a Certificate Authority in the Workspace ONE UEM Admin Console you need to meet the following prequisites.

  • An EJBCA instance that is configured for certificate deployment.
  • Workspace ONE UEM console version 9.5 or later.
  • If your EJBCA instance is public-facing (so also if your EJBCA is in another subnet), it must be protected with a Public SSL Certificate. If you are using VMware AirWatch Cloud Connector for enterprise integration, then it needs to be configured to trust the root certificate installed on your EJBCA instance.

In my homelab I go for the easy way and use the SuperAdmin user (*.p12) file and import it in the Windows Certificate Store (Computer) of my Workspace ONE UEM/Airwatch Cloud Connector server:

If you a complish that, open an internet browser, go to your Workspace ONE UEM Admin Console and login:
Open the correct “Organization level” > Groups and Settings > All Settings > System > Enterprise Integration > Certificate Authorities –> Add.

Select first the correct “Authority Type” which is in our case EJBCA.
There are only five requirements: Name, Authority Type, Server URL and Certificate + if your EJBCA is in another network (internet facing), then the RA (*.p12) certificate needs to be added on the Windows Certificate Store on the Workspace ONE UEM/Airwatch Cloud Connector. Keep in mind if you have multiple Cloud Connectors, you need to import the certificate on all machines.

First we started with the name and certificate. Where the certificate is the file we received from the PKI department and is in my example the SuperAdmin (*.p12) certificate.
Now we need to enter the Server URL. The correct URL notation is not mentioned in any public documentation from VMware and EJBCA.


References:
VMware: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Certificate_Authority_Integrations/GUID-C2CC3CB7-7C41-4036-961B-4DF8FC18B743.html
EJBCA: https://download.primekey.com/docs/EJBCA-Enterprise/latest/EJBCA_Integration.html (Workspace ONE UEM or AirWatch mentioned at all)

The balloon tip (I) in the Server URL section mentions that AirWatch is using API calls to interact with your EJBCA instance.

Our assumption was to talk to the EJBCA API and tried these url’s, but none of these url’s worked.

  • https://<pki-server>(:8443)/ejbca/ejbca-rest-api/v1/ca
  • https://<pki-server>(:8443)/ejbca/ejbca-rest-api/v1/certificate
  • https://<pki-server>(:8443)/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore

Wrong URL’s – Test Unsuccessful

The “Test Connection” button came back with: Test is unsuccessful.

Really want this to work, because it is there out-of-the-box.
Eventually I had to ask for help at PrimeKey support (vendor of EJBCA) and a VMware SE I know.
PrimeKey doesn’t have the experience with VMware Workspace ONE, so they couldn’t help me further.

Correct URL – Test Successful

The VMware SE went through the internal documentation for us and he found the information we were looking for.
After I have entered the correct “Server URL”, uploaded the EJBCA’s RA user certificate (*.p12) and imported in the Windows Certificate Store on the Workspace ONE UEM/Airwatch Cloud Connector. I got a successful test and was able to add a certificate template now.

The Server URL must be: https://<pki-server>(:8443)/ejbca/ejbcaws/ejbcaws

When the test is successful, you can click on the “SAVE AND ADD TEMPLATE” button.
Below is an example of a template you can add and verify that the connection works.

I hope VMware will change their documentation about this integration soon, but for now you can follow my blog to make this Workspace ONE UEM and EJBCA integration to work.

UPDATE 8-12-2021

One of my former colleagues consulted this blog, but it was unclear to him why the certificate (in my blog the SuperAdmin.p12) need to be installed on the Workspace ONE Access Connector.
Your EJBCA (Certificate) Admin will create a separate “admin/user” and associate it to a specific CA for you in the backend system, so this admin/user can issue certificates with for a CA. The credentials of this account will be stored in a certificate and this certificate needs to be place on the Workspace ONE Access Connector. In my blog I used the SuperAdmin.p12 certificate which is the upper admin account from EJBCA. Not advise to use this in a production environment. Hope this explanation will give you a better inside how EJBCA integrates with Workspace ONE UEM.

You might also like
Notes from the field – Missing your devices in Workspace ONE Intelligent Hub (Web)?