Skip to main content
Matrix42 Self-Service Help Center

Android III: Certificate Profile for VPN and Apps

Certificate Profile for VPN and Apps 

With Silverback, you can use certificates to authenticate your users to applications and corporate resources like E-Mail, Wi-Fi and Virtual Private Networks. Distributing certificates facilitates the access for a seamless authentication without the need to enter any usernames or passwords. Historically, the certificate distribution on Android belonged to installed profiles like Exchange ActiveSync, Wi-Fi and VPN. With the introduction of Android Enterprise and Managed Configurations, the correlation between certificates and profiles was dissolved (except for Wi-Fi profiles) as applications like Gmail, Samsung Mail and other 3rd party (VPN) applications like Cisco AnyConnect, F5 access etc. can be independently configured via Managed Configurations.

For Managed Configurations, the certificate distribution utilizes as different mechanism as in the past and this is the target of the Certificate Profile in Silverback, which is dedicated to meet the great capabilities of Managed Configurations. With the certificate profile you can independently deploy certificates to the Android User VPN and Apps certificate Key Storage (Credential Location) on the device. A certificate placed in this Key Storage can be accessed by any application installed on the device that is supporting certificate-based authentication. In the Managed Configuration of an application, you can define the Subject Name of the certificate with an alias (e.g. with System Variables) and when multiple certificates are present on the device, the dedicated certificate for this application will be preselected for users.

To ensure the chain of trust, you can select as Credential Location Trusted Credential, to upload your root and/or intermediate certificates. For the VPN and apps credential Location, you can either upload an enterprise certificate or distribute individual certificates to your users’ devices. 

Benefits of the Certificate Profile 

  • Multiple certificates profile are supported within one Tag
  • Created certificate profiles can be imported easily in other tags and between the platforms Android and Samsung Knox 
  • Trusted Credentials and VPN and Apps can be selected as credential location
  • For VPN and Apps Enterprise Certificates with private keys can be uploaded and/or
  • For VPN and Apps Individual Client Certificates can be configured
  • Individual client certificates support different templates
  • Alias and Subject names are supporting System Variables and can be used in Managed Configurations
  • Certificate Locations can be addressed for all supported management types
  • The certificate profile works independently from the selected Web Setting Certificate Deployment Method

Before you Start

Before you start, please note the following:

  • Certificate Profiles are dedicated for VPN and Apps with Managed Configurations
  • Certificate Profiles are not supported for Wi-Fi Profiles
  • Certificate Profiles are not supported to be published to Active Directory User Objects
  • Ensure to select later on only the Certificate Location that should target your Management Type
    • If you have only Device Owner Devices, enable only Device Owner
    • If you have only Work Profiles, enable only Work Profile


When working with certificates on Android and Samsung Knox devices, ensure to deploy a passcode profile as highlighted in this guide later on. Depending on the certificate type, the following prerequisites must be fulfilled.

Root and/or Intermediate Certificate

  • A certificate that contains the public key (.cer)

Enterprise Certificate

  • A certificate that contains a private key (*.pfx)
  • The corresponding Password for the private key

Individual Certificates

Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.

Create your Profile

Ensure to have at least one test device enrolled before starting with the certificate profile configuration. 

Create a new Tag 

  • Open your Silverback Management Console
  • Login as Administrator
  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Certificate Profile
    • Enter as description e.g. Certificate Profile for VPN and Apps (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device type, e.g. Samsung Knox
    • Click Save

Create a Passcode Profile

In case your devices do not have already a passcode profile assigned, create a new one in this tag. 

  • Navigate to Profile
    • Navigate to Passcode
    • Enable Passcode Settings
    • Enable minimum Numeric as Quality
    • Keep or change the minimum length (optional)
    • Adjust Maximum Passcode Age (optional)
    • Adjust Auto-lock in minutes (optional)
    • Enforce passcode history (optional)
    • Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
    • Click Save
    • Confirm with OK
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK
  • Check your Device
    • If not already present, you should now configure your screen unlock settings
    • Choose e.g. PIN and create one for the device
    • Proceed with the next chapter

Upload a Root or Intermediate Certificate

  • Navigate to Profile
  • Select Certificate Profile
  • Click Add new Certificate
  • Select Choose File to upload your intermediate or root certificate 
  • Ensure to have at least one certificate location enabled

Depending on your current setup, you may have already added root and/or intermediate certificates via the Certificate Trusts or Wi-Fi Profile to your devices. In this case you can skip upload the intermediate or root certificate, as they should be already present under the Trusted Credential key store on the device. 

  • Press Save and Confirm with OK

Upload an Enterprise Certificate

  • Press Add new Certificate
  • Select as Credential Location VPN and apps
  • Ensure to select as Certificate Type Enterprise Certificate
  • Select Choose File and upload your Enterprise Certificate
  • Enter the corresponding password for the private key
  • Ensure to have at least one certificate location enabled
  • Press Save and Confirm with OK

Deploy Individual Certificates

  • Press Add new Certificate
  • Select as Credential Location VPN and apps
  • Select as Certificate Type Individual Certificate
  • Enter your Certification Authority Address in the following format:\domain-server-CA

Open a command prompt and run the certutil command to retrieve the config name of your CA.

If a Corporate Certification Authority is added to the Web Settings, the address will be pre-filled and is adjustable 

  • Enter a Template Name, e.g. SilverbackUser 
  • Enter a subject name, e.g. {UserName}
  • Enter a Subject Alternative Name, e.g. {DeviceEmail}
  • Enter as Renewal Threshold the time when the certificate should be renewed. Enter e.g. 180 if after 180 days you want to let the certificate be replaced
  • Ensure to have at least one certificate location enabled
  • Press Save and Confirm with OK

Review Certificate Installation

Depending on your certificate and management types, you have several options to review the certificate installation as following:

From Logs

Each attempt for a certificate distribution with the Certificate Profile will be logged under the general Silverback Log section.

27 Dec 2021 09:14:56 PM    
InstallCertificateForAndroidPayload: Start creating a CA certificate for '{UserName}' template and subject mmiller.
27 Dec 2021 09:14:54 PM   
InstallCertificateForAndroidPayload: Start creating a CA certificate for '{UserEmail}' template and subject
27 Dec 2021 08:49:12 PM   
InstallCertificateForAndroidPayload: Start creating a CA certificate for '{UserName}' template and subject

Review Device

Depending on your hardware vendor, the way to the installed certificate location might be different. The following covers a Samsung device running on Android 12 with Device Owner.

  • Open Settings applications
  • Select Biometrics and security
  • Tap Other security settings
  • Tab View security certificates
  • Select Users, you should see here now your uploaded root and/or intermediate certificate
  • Go Back
  • Select User certificate
  • Review your Enterprise and/or Individual Client Certificate

Review Certificate List

  • At your Silverback Management Console, navigate to Devices
  • Locate your device and open the device overview
  • Ensure the device is online and press refresh
  • Scroll down to the certificate list to review available certificates
  • Please note the following table of supported certificate listings in device overview:
Platform / Management Type Android Enterprise Device Owner Android Enterprise Work Profile
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates
Samsung Knox
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates

Review Certification Authority 

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template
    • If you have assigned 2 or more Individual Client Certificate Profiles to your device, you will see multiple created certificates

Import Certificate Profiles

In case you want to create now certificate profiles for a different tag or for a different platform, e.g. when you created the profiles for Samsung Knox devices and now you want to import the profiles for Android, just Press the Import from Database button and select all profiles that you want to import. With the Assign select Certificate button the Certificate Profiles will be imported to your new Tag or your new Platform. By default, the imported profiles are set to disabled, so you can enable them afterwards manually. Additionally, please note the following:

  • When importing a Profile to a new Tag or to a new Platform, it will receive a new ID
  • But the Profiles are still linked, so when you change something in the imported profile, the change will be additionally applied in all existing tags that contains the profile.
  • After making a change, the next time you will import the profile, it will contain the changes also. 

User Experience and Managed Configuration

The following screenshots are demonstrating a Tag that contains several Certificate Profiles. As designed, all certificates are installed on the device with their corresponding Subject and Subject Alternative Name. Afterwards you can configure the managed configuration for your application and with a provided alias like {DeviceEmail}, the certificate will be preselected when opening or configuring the application. 

Create one or multiple profiles within Tags Certificates will be distributed to managed devices
clipboard_e58cf6887d553eb0ddf3ac6624efe7fa1.png clipboard_ea6479a94845523c752af3e49f38cd90e.png
Configure Gmail Account through Managed Configuration In case of multiple present certificates, the alias will be pre-selected
clipboard_ed3e948703c0d263677438e9c79127cf4.png clipboard_ecba4d3f2243aa6c8a7f039fd320bd1c6.png
Configure your Cisco AnyConnect VPN connection through Managed Configurations  In case of multiple present certificates, the alias will be pre-selected
clipboard_e01350a3297377f596c9e3e029786b2ac.png clipboard_e68d5f0fc1ff526c436c525fbdef17ec9.png

Remove and Delete Certificate Profiles

To remove a profile from a Tag, simply press the Remove button in the Certificate Profile overview. To delete a Certificate Profile completely, press the Import from Database button and use the Remove button and confirm with OK. Only not assigned Profiles are listed in the Import from Database overview, so ensure to either remove the Certificate Profile from your current opened Certificate Profile or remove it from another Tag.  In case the Certificate Profile is currently assigned in any Tag, a warning will be shown and by confirming with OK, the profile will be completely removed from the database and from all Tags. 

  • Was this article helpful?