On uploading MIME certificates for the enrollment user by enrollment user id

[antonioaraujo]

Dear All,

I hope you are fine.

I am new in this community. Previously I was using the WorkspaceONE-Discussions community.

I am working on an use case in which a PKCS#12 certificate needs to be uploaded to Workspace ONE UEM as shown in the image below:

According to API documentation (System Management REST API V1), /users/{{userId}}/uploadsmimecerts can be used to upload MIME certificates for the enrollment user by enrollment user id.

Since a new Signing certificate needs to be uploaded, is there an API to get the current Signing certificate (or Encryption, Archived) from Workspace ONE UEM? 

The idea is retrieving this current certificate, upload it to Archived array, and then upload the new signing certificate.

 

Best regards

Antonio

[kanchan shaw]

Even I'm also facing same issue, through post man I'm able to upload cert of corresponding enrollment user, https://host/api/system/users/{id}/uploadsmimecerts. Postman is displaying a 200 status code. We can see thumbprint under edit user> certificate, 

but not able to see cert has been placed either Current User > Personal > Certificate or Certificate - Local Computer > Personal > Certificate 

can someone guide me, that would be great help

[antonioaraujo]

Dear @kanchan shaw,

I hope you are fine.

Thanks for adding your question.

The question I have is if there is any API to get or retrieve a certificate uploaded as Encryption, Signing or Archived from Workspace ONE UEM.

Regarding to your question, I just asked one of my colleagues from Systems Team and he told me that maybe you need to create a profile, something like a SMIME profile, to push the certificate from Workspace ONE UEM to your user device.

Something like this:

 

 

I hope that can provide you some guidance, that is out of my scope 🙂

 

Best regards

Antonio

Edited July 2 by antonioaraujo
Add a couple of images for guidance

[spg123]

As Antonio advice, you need to create a user profile for this with the Credentials payload.

However, the disadvantage of using the Workspace ONE UEM API is that it does not support uploading previous S/MIME certificates. It is only support in the web-based administration portal.

So if you have an S/MIME certificate that is valid for 1 year, and you send the new one to the Workspace ONE UEM API then all other certificates will be removed and only the latest one will be there.

This is OK for new S/MIME encrypted email, but any other S/MIME encrypted email that is older than 1 year will not be able to be read on the device.

 

[kanchan shaw]

Thanks Antonio/spg123,

After creating the profile, when I hit API uploadsmimecerts, i didn't see certificate had been placed,

but when I clicked save and publish under profile then able to placed cert in personal folder,

can you help me to end to end process how uploadsmimecerts API is working, 

below step I'm following:

1> add user -> registered device, then create a user profile as you suggested in the above step, After clicking save and publish button, I'm able to see registered devices associated with that,

then hit API api/system/users/10656/uploadsmimecerts , cert was not placed 

but when I first hit API then go to user profile and click the publish then we can see the cert has been placed.

requesting to need a 15-minute session end-to-end flow understand that would be a very grateful.

 

 

 

 

 

[Sascha Warno]

@spg123 you can upload archived certificates through API, not sure why the API docs where never updated. we had issues with accepting expired certs but even that was fixed in 2017.

There is no API to read the existing certs so. So you would need to include them from the source again.

If you want to implement some more advanced user cert management you would need to implement the Escrow Gateway.

https://docs.omnissa.com/bundle/CredentialEscrowGatewayV2310/page/OverviewofCredentialEscrowGateway.html

 

[Sascha Warno]

@kanchan shaw you would need to use webhooks and event notifications to trigger the API to upload a cert based on device enrollment for example. Assigned profiles for users without uploaded certificates should actually be in the pending state until a certificate is uploaded.