Install and Configure VMware Credential Escrow Gateway
In as SaaS world there might be some certificates you may not want to store / be able to unencrypt the Private Key in a SaaS-Service. As Client Authentication Certs can today can use SCEP there are use cases where this does not work like S/MIME. Therefore there is for VMware Workspace ONE UEM the Credential Escrow Gateway that stores the Certs and sends them encrypted to UEM only for consumption for the Devices. As the Certs are encrypted by a Cert on the Device, UEM itself can not unencrypt the Payload on UEM , only the Device or SDK Level can unencrypted the Certificate.
To be ready to deploy the CEG , make sure you meet the following requirements:
- Download the OVA for CEG (min. Version 1.4.1 )
- Machine Certificate for ACC installed (note down the Thumbprint)
- Access to vSphere to deploy OVA
To install CEG , Download the Installer OVA and deploy it to the vShere. I created a Overview Video to show the process:
Once the deployment is finished , lets configure the CEG:
To activate the CEG I used Postman, but also PowerShell or curl work for this. Here a Overview of the API Calls
This is describing the basic Setup, as there are multiple options and settings and it also may depend on the version. This Blog is just a baseline and sample , not an official documentation. Make sure you have read thought the official documentation from VMware and it is highly recommended to use VMware Professional Services for a Deployment like this.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.