API integration guide for Workspace ONE
This guide explains how to request certificates from DigiCert® Trust Lifecycle Manager for provisioning to end user devices within the Workspace ONE unified endpoint management (UEM) platform.
You will configure the REST API service of Trust Lifecycle Manager to integrate with Workspace ONE, using a mutual TLS (mTLS) certificate to authenticate requests.
The Workspace ONE integration supports issuance of both public and private DigiCert certificates from escrow-enabled certificate profiles you define in Trust Lifecycle Manager.
Workflow
To enable the Workspace ONE integration, complete these tasks in order.
| Task | Section |
|---|---|---|
1. | Verify the prerequisites in Trust Lifecycle Manager. | |
2. | Create an API service user and generate a client authentication certificate in Trust Lifecycle Manager. | |
3. | Define the types of DigiCert certificates to issue from Trust Lifecycle Manager. | |
4. | Configure the DigiCert certificate authority, certificate request template(s), and enrollment profile(s) in Workspace ONE. | |
5. | Make sure the integration works by verifying that Workspace ONE-managed devices can get certificates from DigiCert. |
Before you begin
If you need help verifying these prerequisites in Trust Lifecycle Manager, contact your DigiCert system administrator or account representative.
You need at least one issuing CA accessible from your Trust Lifecycle Manager account. The Workspace ONE integration supports the following DigiCert CA services.
DigiCert CA service | Trust type | Required configuration |
|---|---|---|
Private | Private root and issuing CA set up in Private CA. | |
Public | CertCentral connector set up in Trust Lifecycle Manager. |
Each certificate issued for a Workspace ONE-managed device consumes a User seat in Trust Lifecycle Manager.
You need available User seats in your Trust Lifecycle Manager account.
Make sure some of these seats are allocated to the business units in Trust Lifecycle Manager where you will issue certificates for Workspace ONE.
Enable API access to Trust Lifecycle Manager
To integrate with Workspace ONE, you need an API service user with a client authentication certificate. Sign in to the DigiCert® ONE platform to complete these steps.
To create a service user in DigiCert ONE:
To generate an authentication certificate for the new API service user in DigiCert ONE:
Create certificate profiles in Trust Lifecycle Manager
A certificate profile defines the issuing CA and general properties for a type of certificate you can issue in Trust Lifecycle Manager. Using a base template as the starting point, create a profile for each type of certificate you want to enroll from Workspace ONE.
Use one of the following base templates as the starting point when creating certificate profiles in Trust Lifecycle Manager for Workspace ONE-managed devices.
To enable escrowing of issued certificates in DigiCert ONE, select a template that includes cloud key escrow support.
Make sure you have the corresponding seat type allocated to the business unit in Trust Lifecycle Manager where you will issue the certificates.
Template name | Trust type | DigiCert CA service | Seat type | Cloud key escrow support |
|---|---|---|---|---|
| Private | Private CA | User | Yes |
| Public | CertCentral | User | No |
| Public | CertCentral | Organization | No |
| Private | Private CA | Device | No |
| Private | Private CA | Server | No |
| Private | Private CA | User | Yes |
| Private | Private CA | User | Yes |
| Public | CertCentral | User | Yes |
To create a certificate profile in Trust Lifecycle Manager to use with Workspace ONE:
In the Trust Lifecycle Manager menu, select Policies > Certificate profiles.
Select the Create profile from template button.
Select one of the templates from the Available base templates section as the basis for creating the certificate profile.
Note: To enable recovery of issued certificates from the DigiCert cloud, select a base template that supports the cloud key escrow option.
Follow the profile creation wizard, focusing on the Workspace ONE-related options described below and making other selections for your business needs.
For Primary options:
General information: Select the applicable business unit and issuing CA for the certificates.
Enrollment method: Select
REST API.Authentication method: Select
3rd Party app.
For Certificate options > Flow options:
To enable cloud key escrow and recovery (if you selected a base template that supports it):
Deselect the Allow duplicate certificates checkbox.
Enable DigiCert cloud key escrow and select the Deliver the escrowed certificate for matching enrollment requests checkbox.
To enable issuance of duplicate certificates (all base templates): Select the Allow duplicate certificates checkbox.
Wichtig
You can enable either cloud key escrow or duplicate certificates, but not both.
For Advanced settings > Service User binding, select the service user you created for the Workspace ONE integration.
On the final profile creation wizard screen, select Create to save the new certificate profile.
Configure Workspace ONE
To request certificates from Trust Lifecycle Manager for Workspace ONE-managed devices, you need to enable the DigiCert certificate authority and configure the request settings for it. Sign in to the Workspace ONE platform to complete these steps.
To add the DigiCert certificate authority (CA) in Workspace ONE:
Navigate to Settings > Enterprise Integration > Certificate Authorities.
In the Certificate Authorities tab, select the Add button.
Configure the following settings:
Name: Enter a name to help identify the DigiCert CA service.
Authority type: Select
DigiCert.Server URL: Enter the client authentication URL for your DigiCert ONE environment.
For example, if you use the U.S. production environment of DigiCert ONE, enter
https://clientauth.one.digicert.comhere.Certificate: Upload the authentication certificate you created for your API service user in DigiCert ONE:
Select Add > Choose file.
Navigate to the authentication certificate PKCS#12 file you downloaded.
In the Certificate Password field, enter the password that you copied from DigiCert ONE for the certificate PKCS#12 file.
Select Upload.
The completed Workspace ONE dialog should look similar to the following screenshot:
To test the configuration, select the TEST CONNECTION button. Address any issues.
To save the new CA record after a successful test, select SAVE.
To add a template in Workspace ONE for requesting certificates from DigiCert:
Navigate to Settings > Enterprise Integration > Certificate Authorities.
In the Request Templates tab, select the Add button.
Configure the following settings:
Name: Enter a name to help identify this certificate request template.
Certificate Authority: Select the DigiCert CA record you created.
When you select the CA, the Profile Name dropdown populates with the list of available certificate profiles for that CA.
Profile Name: Select one of the certificate profiles you created in Trust Lifecycle Manager for issuing certificates for Workspace ONE-managed devices.
When you select the profile, the attributes table populates from the profile settings, including the source of each attribute's value.
The completed Workspace ONE dialog should look similar to the following screenshot:
Select SAVE to save the new certificate request template.
To add a profile in Workspace ONE for enrolling DigiCert certificates for end user devices:
Navigate to Resources > Profiles & Baselines > Profiles.
Select ADD.
Select the Platform for the applicable devices. For example, "Windows".
Select a Context for the certificate enrollment. For example, "User Profile".
In the General tab, configure the following settings:
Name: Enter a name to help identify this certificate enrollment profile.
Smart Groups: Select the device groups that will enroll certificates from this profile.
Make additional selections for your business needs. The completed tab should look similar to the following screenshot.
In the Credentials tab, configure the following settings:
Credential Source: Select
Defined Certificate Authority.Certificate Authority: Select the DigiCert CA record you created.
Certificate Template: Select one of the certificate request templates you created to issue certificates from Trust Lifecycle Manager.
The completed tab should look similar to the following screenshot.
Select SAVE AND PUBLISH to save the profile and trigger the certificate enrollment for the target devices.
Verify certificate enrollments
After requesting enrollment of a DigiCert certificate, verify the certificate got issued from Trust Lifecycle Manager and provisioned by Workspace ONE.
To view the issued certificate in Trust Lifecycle Manager:
Go to your Inventory page.
Use the inventory functions to help locate the issued certificate. Applicable filters include:
Common name: Search by the certificate common name value.
Seat type: Select
User seat.Enrollment method: Select
REST API.Tipp
If a column is not present in the inventory table, use the table settings on the top-right to add it.
(Optional) Once you find the certificate in the table, select the common name to view additional details about it.
To view the enrollment details in Workspace ONE:
Navigate to MONITOR > Events and Logs > Device Events.
The target device(s) for the enrollment should show
Certificate Issuedin the Event column.Select the event status link to view additional details about the enrollment.
Check the device itself to verify the certificate was installed there.
For example, on Windows devices, use the Certificate Manager application (certmgr.msc) to check for the DigiCert certificate under Certificates - Current User > Personal > Certificates.