VMware Workspace ONE Community

AirWatch Server Authentication Certificate Expiration and Rotation

I hope you guys can help, I have recently gotten the responsibility for managing our Workspace One AirWatch environment. As part of our ongoing system maintenance, we have identified the need to update our server certificate, which is approaching its expiration date.

In order to ensure a seamless transition and avoid any disruptions to our devices or AirWatch services, I am seeking guidance on the proper procedure for certificate rotation. 

On this link: Managing Certificates i read this: 

"At times, the AirWatch Server Certificate will expire and require you to rotate it. Regenerating the Tunnel certificate will remove the existing trust Tunnel uses for authentication. You will need to deploy updated profiles after this action.

To rotate the certificate, go into your Workspace ONE UEM console.
  1. Go to Tunnel Configuration.
  2. Click Edit.
  3. Now under the Server Authentication section you should see Regenerate.
  4. Click Regenerate. This will open a dialog box. After reviewing the message, click OK."

    How do I deploy the updated profiles after this action and whom do I deploy it to. When I look at my device, they only have Client Authetication certificat which is still eligble. 

    I wonder if the server certificat automaticly rotates it self, when i regenerate it. 
Tags (2)
0 Kudos
1 Reply


the VPN Configurations for you devices contain the Thumbprint of the Tunnel Server Certificate.
If the Server Certificate is replaced, you have to open your VPN Configurations which you send to your client devices and click on "add version", don't change anything and press save and publish. This generates a new version of the VPN Configuration which contains the new server certificate thumbprint.
If you don't do this step, it is possible that the tunnel app on the clients show an error message, that they can't connect the tunnel due to certificate problems.

0 Kudos