Product Documentation

Certificates and authentication

Sep 06, 2017

Several components play a role in authentication during XenMobile operations:

  • XenMobile Server: The XenMobile Server is where you define enrollment security and the enrollment experience. Options for onboarding users include whether to make the enrollment open for all or by invitation only and whether to require two-factor authentication or three-factor authentication. Through client properties in XenMobile, you can enable Citrix PIN authentication and configure the complexity and expiration time of the PIN.
  • NetScaler: NetScaler provides termination for micro VPN SSL sessions. NetScaler also provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.
  • Secure Hub: Secure Hub works with XenMobile Server in enrollment operations. Secure Hub is the entity on a device that talks to NetScaler: When a session expires, Secure Hub gets an authentication ticket from NetScaler and passes the ticket to the MDX apps. Citrix recommends use of certificate pinning, which prevents man-in-the-middle attacks. For more information, see the section on certificate pinning in the Secure Hub article.

    Secure Hub also facilitates the MDX security container: Secure Hub pushes policies, creates a session with NetScaler when an app times out, and defines the MDX timeout and authentication experience. Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.
  • MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to NetScaler, enforce offline mode restrictions, and enforce client policies, such as time-outs.

For more information about the considerations on how to configure authentication, including an overview of single-factor, and two-factor authentication methods, see the Deployment Handbook Authentication article.

You use certificates in XenMobile to create secure connections and authenticate users. The remainder of this article discusses certificates. For other configuration details, see the following articles:

Certificates

By default, XenMobile comes with a self-signed Secure Sockets Layer (SSL) certificate that is generated during installation to secure the communication flows to the server. Citrix recommends that you replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority (CA).

Note

iOS 10.3 devices don't support self-signed certificates. If XenMobile uses self-signed certificates, users can’t enroll iOS 10.3 devices into XenMobile. To enroll devices running iOS 10.3 or later into XenMobile, you must use trusted SSL certificates in XenMobile.

XenMobile also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or SAN certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, users type their Citrix PIN for single sign-on (SSO) access to XenMobile-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with XenMobile, set up and create an Apple Push Notification Service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each XenMobile component:

XenMobile component

Certificate format

Required certificate type

NetScaler Gateway

PEM (BASE64)

PFX (PKCS#12)

SSL, Root

NetScaler Gateway converts PFX to PEM automatically.

XenMobile Server

.p12 (.pfx on Windows-based computers)

SSL, SAML, APNs

XenMobile also generates a full PKI during the installation process.

Important: XenMobile Server doesn't support certificates with a .pem extension.

StoreFront

PFX (PKCS#12)

SSL, Root

XenMobile supports SSL listener certificates and client certificates with bit lengths of 4096, 2048, and 1024. Note that 1024-bit certificates are easily compromised.

For NetScaler Gateway and the XenMobile Server, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the XenMobile configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or XenMobile.

Uploading certificates in XenMobile

Each certificate you upload has an entry in the Certificates table, summarizing its contents. When you configure PKI integration components that require a certificate, you choose a server certificate that satisfies the context-dependent criteria. For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the Microsoft CA must be authenticated by using a client certificate.

This section provides general procedures for uploading certificates. For details about creating, uploading, and configuring client certificates, see Client certificate or certificate plus domain authentication.

Private key requirements

XenMobile may or may not possess the private key for a given certificate. Likewise, XenMobile may or may not require a private key for certificates you upload.

Uploading certificates to the console

When uploading certificates to the console, you have two main options:

  • You can click to import a keystore. Then, you identify the entry in the keystore repository you want to install, unless you are uploading a PKCS#12 format.
  • You can click to import a certificate.

You can upload the CA certificate (without the private key) that the CA uses to sign requests. You can also upload an SSL client certificate (with the private key) for client authentication.

When configuring the Microsoft CA entity, you specify the CA certificate. You select the CA certificate from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which XenMobile has the private key.

To import a keystore

By design, keystores, which are repositories of security certificates, can contain multiple entries. When loading from a keystore, therefore, you are prompted to specify the entry alias that identifies the entry you want to load. If you do not specify an alias, the first entry from the store is loaded. Because PKCS#12 files usually contain only one entry, the alias field does not appear when you select PKCS#12 as the keystore type.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

2. Click Certificates. The Certificates page appears.

localized image

3. Click Import. The Import dialog box appears.

4. Configure these settings:

  • Import: In the list, click Keystore. The Import dialog box changes to reflect available keystore options.
localized image
  • Keystore type: In the list, click PKCS#12.
  • Use as: In the list, click how you plan to use the certificate. The available options are:
    • Server. Server certificates are certificates used functionally by the XenMobile Server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This use especially applies to CAs used to establish trust on the device.
    • SAML. Security Assertion Markup Language (SAML) certification allows you to provide SSO access to servers, websites, and apps.
    • APNs. APNs certificates from Apple enable mobile device management via the Apple Push Network.
    • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.
  • Keystore file: Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).
  • Password: Type the password assigned to the certificate.
  • Description: Optionally, type a description for the keystore to help you distinguish it from your other keystores.

5. Click Import. The keystore is added to the Certificates table.

To import a certificate

When importing a certificate, either from a file or a keystore entry, XenMobile attempts to construct a certificate chain from the input, and imports all certificates in that chain (creating a server certificate entry for each). This operation only works if the certificates in the file or keystore entry do form a chain. For example, if each subsequent certificate in the chain is the issuer of the previous certificate.

You can add an optional description for the imported certificate for heuristic purposes. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then click Certificates.

2. On the Certificates page, click Import. The Import dialog box appears.

3. In the Import dialog box, in Import, if it is not already selected, click Certificate.

4. The Import dialog box changes to reflect available certificate options. In Use as, click how you will use the keystore. The available options are:

  • Server. Server certificates are certificates used functionally by the XenMobile Server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This option especially applies to CAs used to establish trust on the device.
  • SAML. Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
  • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.

5. Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).

6. Browse to find an optional private key file for the certificate. The private key is used for encryption and decryption along with the certificate.

7. Type a description for the certificate, optionally, to help you identify it from your other certificates.

8. Click Import. The certificate is added to the Certificates table.

Updating a certificate

XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported certificate, you can either replace the existing entry or to delete the entry.

To most effectively update your certificates, in the XenMobile console, do the following. Click the gear icon on the upper-right corner of the console to open the Settings page and then click Certificates. In the Import dialog box, import the new certificate.

When you update a server certificate, components that were using the previous certificate automatically switch to using the new certificate. Likewise, if you have deployed the server certificate on devices, the certificate automatically updates on the next deployment.

XenMobile Certificate Administration

We recommend that you list the certificates you use in your XenMobile deployment, especially on their expiration dates and associated passwords. This section intends to help you make certificate administration in XenMobile easier.

Your environment may include some or all of the following certificates:

XenMobile Server
SSL Certificate for MDM FQDN
SAML Certificate (For ShareFile)
Root and Intermediate CA Certificates for the preceding certificates and any other internal resources (StoreFront/Proxy, and so on)
APN Certificate for iOS Device Management
Internal APNs Certificate for XenMobile Server Secure Hub Notifications
PKI User Certificate for connectivity to PKI

MDX Toolkit
Apple Developer Certificate
Apple Provisioning Profile (per application)
Apple APNs Certificate (for use with Citrix Secure Mail)
Android Keystore File
Windows Phone – Symantec Certificate

NetScaler
SSL Certificate for MDM FQDN
SSL Certificate for Gateway FQDN
SSL Certificate for ShareFile SZC FQDN
SSL Certificate for Exchange Load Balancing (offload configuration)
SSL Certificate for StoreFront Load Balancing
Root & Intermediate CA Certificates for the preceding certificates

XenMobile Certificate Expiration Policy

If you allow a certificate to expire, the certificate becomes invalid. You can no longer run secure transactions on your environment and you cannot access XenMobile resources.

Note

The Certification Authority (CA) prompts you to renew your SSL certificate prior to the expiration date.

APNs certificate for Citrix Secure Mail

Because the Apple Push Notification Service (APNs) certificates expire every year, create an APNs SSL certificate and update it in the Citrix portal before the certificate expires. If the certificate expires, users face inconsistency with Secure Mail push notifications. Also, you can no longer send push notifications for your apps.

APNs certificate for iOS device management

To enroll and manage iOS devices with XenMobile, set up and create an APNs certificate from Apple. If the certificate expires, users cannot enroll in XenMobile and you cannot manage their iOS devices. For details, see APNs certificates.

You can view the APNs certificate status and expiration date by logging on to the Apple Push Certificates Portal. You must log on as the same user who created the certificate.

You also receive an email notification from Apple 30 and 10 days before the expiration date with the following information:

The following Apple Push Notification Service certificate, created for Apple ID CustomerID will expire on Date. Revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.

Please contact your vendor to generate a new request (a signed CSR), then visit https://identity.apple.com/pushcert to renew your Apple Push Notification Service certificate.

Thank You,

Apple Push Notification Service

MDX Toolkit (iOS distribution certificate)

An app that runs on a physical iOS device (other than apps in the Apple App Store) must be signed with a provisioning profile. The app must also be signed with a corresponding distribution certificate.

To verify that you have a valid iOS distribution certificate, do the following:

1. From the Apple Enterprise Developer portal, create an explicit App ID for each app you plan to wrap with the MDX Toolkit. An example of an acceptable App ID is: com.CompanyName.ProductName.
2. From the Apple Enterprise Developer portal, go to Provisioning Profiles > Distribution and create an in-house provisioning profile. Repeat this step for each App ID created in the previous step.
3. Download all provisioning profiles. For details, see Wrapping iOS Mobile Apps.

To confirm that all XenMobile Server certificates are valid, do the following:

  1. In the XenMobile console, click Settings and then click Certificates.
  2. Check that all certificates including APNs, SSL Listener, Root, and Intermediate certificate are valid.

Android keystore

The keystore is a file that contains certificates used to sign your Android app. When your key validity period expires, users can no longer seamlessly upgrade to new versions of your app.

Enterprise certificate from Symantec for Windows phones

Symantec is the exclusive provider of code signing certificates for Microsoft App Hub service. Developers and software publishers join App Hub to distribute Windows Phone and Xbox 360 applications for download through the Windows Marketplace. For details, see Symantec Code Signing Certificates for Windows Phone in the Symantec documentation.

If the certificate expires, Windows phone users cannot enroll. The users cannot install an app published and signed by the company, or start a company app that was installed on the phone.

NetScaler

For details on how to handle certificate expiration for NetScaler, see How to handle certificate expiry on NetScaler in the Citrix Support Knowledge Center.

An expired NetScaler certificate prevents users from enrolling and accessing the Store. The expired certificate also prevents users from connecting to Exchange Server when using Secure Mail. In addition, users cannot enumerate and open HDX apps (depending on which certificate expired).

The Expiry Monitor and Command Center can help you to track your NetScaler certificates. The Center notifies you when the certificate expires. These tools assist to monitor the following NetScaler certificates:

  • SSL Certificate for MDM FQDN
  • SSL Certificate for Gateway FQDN
  • SSL Certificate for ShareFile SZC FQDN
  • SSL Certificate for Exchange Load Balancing (offload configuration)
  • SSL Certificate for StoreFront Load Balancing
  • Root and Intermediate CA Certificates for the preceding certificates