AirWatch Tunnel to AWCM failing test connection

After installing an AirWatch Tunnel on a customers site it was found that it was failing the Tunnel to AWCM test, we use port 2001 which is recommended by AW for OnPrem and Partners.
We use Digicert certificates. In the past we have had to import the Digicert intermediate certificate into the certificate store on ACC servers to get them to connect.
A check with SSLChecker for port 2001 give: -
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following DigiCert’s Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

It was found that the browser would connect to https://{server Url}:2001/awcm/statistics no problem,. however AW Tunnel uses Java which has its own key store.

  1. Obtain from Digicert or Export from your certificate chain, the Digicert Intermediate certificate DigiCertSHA2SecureServerCA.crt and save the cert in an easily accessed folder, in this case C:\JavaCerts\DigiCertSHA2SecureServerCA.crt

  2. Locate the current version of Java installed by the AirWatch Tunnel installer, each Java version has a different install path CHECK CAREFULLY

  3. Locate the cacerts file in the Java directory, in this case C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts, make a backup copy and save in a safe place for roll back if needed.

  4. Open a command box as administrator

  5. run the following command exactly NOTE the values inside the " " will change depending on where the Int cert is stored and the Java version, the value after -alias is a free text field descriptor.

keytool -import -file “C:\Java Certs\DigiCertSHA2SecureServerCA.crt” -alias “Digicert Int” -keystore “C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts”

  1. you will be prompted for a password, this by default is changeit this is the standard Java password and is not usually changed.

When complete the command screen will look like: -

C:>keytool -import -file “C:\Java Certs\DigiCertSHA2SecureServerCA.crt” -alias “Digicert Int” -keystore “C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts”

Enter keystore password:

Certificate was added to keystore


  1. To list the contents of the keystore, just doing the list command will overflow the command screen buffer so we need to redirect the output to a text file. Here we are creating a text file on the root of the drive, this can be viewed with any text editor.

C:\windows\system32>keytool -list -v -keystore “C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts” >c:\cacert.txt

Enter keystore password: changeit


After all that I got 5 greens on the test window

Instructions for the AirWatch Linux Tunnel on RHEL platforms - where the AWCM is listed as untrusted due to incomplete certificate chain.

  1. obtain the certs and transfer them to the Tunnel machine.

  2. Copy the certificates to /etc/pki/ca-trust/source/anchors/
    “cp *.cer /etc/pki/ca-trust/source/anchors/”

  3. update the trusts
    "update-ca-trust extract"


1 Like

Mike Simm, I’m running into a similar scenario, can you confirm this was fixed after you slide in the inter/root CA certs into the JKS?

Yes confirm it was fixed.