Citrix Endpoint Management

Upload and renew certificates

We recommend that you list the certificates needed for your Endpoint Management deployment. Use the list to track the certificate expiration dates and passwords. This article helps you administer certificates throughout their lifespan.

Your environment might include some or all of the following certificates:

  • Endpoint Management server
    • SSL Certificate for MDM FQDN (needed if you migrated from XenMobile Server to Endpoint Management; otherwise, Citrix manages this certificate)
    • SAML Certificate (for Citrix Files)
    • Root and Intermediate CA Certificates for the preceding certificates and any other internal resources (StoreFront/Proxy, and so on)
    • APNs Certificate for iOS Device Management
    • PKI User Certificate for connectivity to PKI (required if your environment requires certificate-based authentication)
  • MDX Service or MDX Toolkit
    • Apple Developer Certificate
    • Apple Provisioning Profile (per application)
    • Apple APNs Certificate (for use with Citrix Secure Mail)
    • Android Keystore File
    • Windows Phone – DigiCert Certificate

    The MAM SDK doesn’t wrap apps, so it doesn’t require a certificate.

  • Citrix Gateway
    • SSL Certificate for MDM FQDN
    • SSL Certificate for Gateway FQDN
    • SSL Certificate for ShareFile SZC FQDN
    • SSL Certificate for Exchange Load Balancing (offload configuration)
    • SSL Certificate for StoreFront Load Balancing
    • Root & Intermediate CA Certificates for the preceding certificates

Upload certificates

Each certificate you upload has an entry in the Certificates table, including a summary of its contents. When you configure PKI integration components that require a certificate, you choose a server certificate that satisfies the context-dependent criteria. For example, you might want to configure Endpoint Management to integrate with your Microsoft certificate authority (CA). The connection to the Microsoft CA must be authenticated by using a client certificate.

Endpoint Management might not possess the private key for a given certificate. Likewise, Endpoint Management might not require a private key for uploaded certificates.

This section provides general procedures for uploading certificates. For details about creating, uploading, and configuring client certificates, see Client certificate or certificate plus domain authentication.

When uploading certificates to the console, you can:

  • Click to import a keystore. Then, you identify the entry in the keystore repository you want to install, unless you are uploading a PKCS #12 format.
  • Click to import a certificate.

You can upload the CA certificate (without the private key) that the CA uses to sign requests. You can also upload an SSL client certificate (with the private key) for client authentication.

When configuring the Microsoft CA entity, you specify the CA certificate. You select the CA certificate from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which Endpoint Management has the private key.

To import a keystore

By design, keystores, which are repositories of security certificates, can contain multiple entries. When loading from a keystore, therefore, you are prompted to specify the entry alias that identifies the entry you want to load. If you do not specify an alias, the first entry from the store is loaded. Because PKCS #12 files usually contain only one entry, the alias field does not appear when you select PKCS #12 as the keystore type.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Certificates. The Certificates page appears.

    The Certificates configuration page

  3. Click Import. The Import dialog box appears.

  4. Configure these settings:

    • Import: In the list, click Keystore. The Import dialog box changes to reflect available keystore options.

    The Certificates configuration page

    • Keystore type: In the list, click PKCS #12.
    • Use as: In the list, click how you plan to use the certificate. The available options are:
      • Server: Server certificates are certificates used functionally by Endpoint Management. You upload server certificates to the Endpoint Management web console. Those certificates include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This use especially applies to CAs used to establish trust on the device.
      • SAML: Security Assertion Markup Language (SAML) certification allows you to provide SSO access to servers, websites, and apps.
      • APNs: APNs certificates from Apple enable mobile device management via the Apple Push Network.
      • SSL Listener: The Secure Sockets Layer (SSL) Listener notifies Endpoint Management of SSL cryptographic activity.
    • Keystore file: Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).
    • Password: Type the password assigned to the certificate.
    • Description: Optionally, type a description for the keystore to help you distinguish it from your other keystores.
  5. Click Import. The keystore is added to the Certificates table.

To import a certificate

When importing a certificate, either from a file or a keystore entry, Endpoint Management attempts to construct a certificate chain from the input. Endpoint Management imports all certificates in that chain to create a server certificate entry for each. This operation only works if the certificates in the file or keystore entry do form a chain. For example, if each subsequent certificate in the chain is the issuer of the previous certificate.

You can add an optional description for the imported certificate. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console and then click Certificates.

  2. On the Certificates page, click Import. The Import dialog box appears.

  3. In the Import dialog box, in Import, if it is not already selected, click Certificate.

  4. The Import dialog box changes to reflect available certificate options. In Use as, select how you plan to use the keystore. The available options are:

    • Server: Server certificates are certificates used functionally by Endpoint Management. You upload server certificates to the Endpoint Management web console. Those certificates include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This option especially applies to CAs used to establish trust on the device.
    • SAML: Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
    • SSL Listener: The Secure Sockets Layer (SSL) Listener notifies Endpoint Management of SSL cryptographic activity.
  5. Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).

  6. Browse to find an optional private key file for the certificate. The private key is used for encryption and decryption along with the certificate.

  7. Type a description for the certificate, optionally, to help you identify it from your other certificates.

  8. Click Import. The certificate is added to the Certificates table.

Update a certificate

Endpoint Management only allows one certificate per public key to exist in the system at a time. If you attempt to import a certificate for the same key pair as an already imported certificate: You can either replace the existing entry or delete the entry.

To most effectively update your certificates, in the Endpoint Management console, do the following. Click the gear icon on the upper-right corner of the console to open the Settings page and then click Certificates. In the Import dialog box, import the new certificate.

When you update a server certificate, components that were using the previous certificate automatically switch to using the new certificate. Likewise, if you have deployed the server certificate on devices, the certificate automatically updates on the next deployment.

Renew device certificates

If a certificate expires, the certificate becomes invalid. You can no longer run secure transactions on your environment and you cannot access Endpoint Management resources. The Certification Authority (CA) prompts you to renew your SSL certificate before the expiration date.

To renew device certificates:

  • PKI service: You can request that Citrix Cloud Operations refresh or regenerate the internal PKI certificate authorities (CAs) in your Endpoint Management deployment. Open a Technical Support case for these requests.

    When the new CAs are available, Cloud Operations lets you know that you can proceed with renewing the device certificates for your users.

  • iOS, macOS, Android, and Windows devices: For supported iOS, macOS, and Android devices, you can initiate certificate renewal through the security action, Certificate Renewal. You renew device certificates from the Endpoint Management console or the Public REST API. For enrolled Windows devices, users must re-enroll their devices to receive a new device certificate authority (CA).

  • APNs: To renew an APNs certificate, perform the steps to create a certificate, then go to the Apple Push Certificates Portal. For more information, see Renew an APNs certificate.

  • Citrix Gateway: If your Citrix Gateway is set up for SSL offload, ensure that you update your load balancer with the new cacert.pem.

The next time that devices connect back to Endpoint Management, the Endpoint Management server issues new device certificates based on the new CA.

To renew device certificates by using the console

  1. Go to Manage > Devices and select the devices for which you want to renew device certificates.
  2. Click Secure and then click Certificate Renewal.

    Certificate Renewal in Security Actions

    Already enrolled devices continue to work without disruption. Endpoint Management issues a device certificate when a device connects back to the server.

To query for the devices that are in a specific device certificate issuer CA group:

  1. In Manage > Devices, expand the Filters pane if it’s closed.
  2. In the Filters pane, expand Device Certificate Issuer CA and then select the issuer CAs that you want to renew.

    In the table of devices, the devices for the selected issuer CAs appear.

    Device list filtering by CA certificate group

To renew device certificates by using the REST API

Endpoint Management uses the following certificate authorities (CAs) internally for PKI: Root CA, device CA, and server CA. Those CAs are a logical group and have a group name. During Endpoint Management provisioning, the server generates three CAs and gives them the group name “default”.

The CA issues the following APIs to manage and renew the device certificates. Already enrolled devices continue to work without disruption. Endpoint Management issues a device certificate when a device connects back to the server. For more information, download the Public API for REST Services PDF.

  • Return a list of devices still using the old CA (see section 3.16.2 in the Public API for REST Services PDF)
  • Renew Device Certificate (see section 3.16.58)
  • Get all CA groups (see section 3.23.1)

APNs certificate for Citrix Secure Mail

Apple Push Notification Service (APNs) certificates expire every year. Be sure to create an APNs SSL certificate and update it in the Citrix portal before the certificate expires. If the certificate expires, users face inconsistency with Secure Mail push notifications. Also, you can no longer send push notifications for your apps.

APNs certificate for iOS device management

To enroll and manage iOS devices with Endpoint Management, set up and create an APNs certificate from Apple. If the certificate expires, users cannot enroll in Endpoint Management and you cannot manage their iOS devices. For details, see APNs certificates.

You can view the APNs certificate status and expiration date by logging on to the Apple Push Certificates Portal. Be sure to log on as the same user who created the certificate.

You also receive an email notification from Apple 30 and 10 days before the expiration date. The notification includes the following information:

The following Apple Push Notification Service certificate, created for Apple ID CustomerID will expire on Date. Revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.

Please contact your vendor to generate a new request (a signed CSR), then visit https://identity.apple.com/pushcert to renew your Apple Push Notification Service certificate.

Thank You,

Apple Push Notification Service

MDX Service or MDX Toolkit (iOS distribution certificate)

An app that runs on a physical iOS device (other than apps in the Apple App Store) have these signing requirements:

  • Sign the app with a provisioning profile.
  • Sign the app with a corresponding distribution certificate.

To verify that you have a valid iOS distribution certificate, do the following:

  1. From the Apple Enterprise Developer portal, create an explicit App ID for each app you plan to wrap with MDX. An example of an acceptable App ID is: com.CompanyName.ProductName.
  2. From the Apple Enterprise Developer portal, go to Provisioning Profiles > Distribution and create an in-house provisioning profile. Repeat this step for each App ID created in the previous step.
  3. Download all provisioning profiles. For details, see Wrapping iOS Mobile Apps.

To confirm that all Endpoint Management server certificates are valid, do the following:

  1. In the Endpoint Management console, click Settings > Certificates.
  2. Check that all certificates including APNs, SSL Listener, Root, and Intermediate certificate are valid.

Android keystore

The keystore is a file that contains certificates used to sign your Android app. When your key validity period expires, users can no longer seamlessly upgrade to new versions of your app.

Enterprise certificate from DigiCert for Windows phones

DigiCert is the exclusive provider of code signing certificates for the Microsoft App Hub service. Developers and software publishers join the App Hub to distribute Windows Phone and Xbox 360 applications for download through the Windows Marketplace. For details, see DigiCert Code Signing Certificates for Windows Phone in the DigiCert documentation.

If the certificate expires, Windows phone users cannot enroll. The users cannot install an app published and signed by the company, or start a company app that was installed on the phone.

Citrix Gateway

For details on how to handle certificate expiration for Citrix Gateway, see How to handle certificate expiry on NetScaler in the Citrix Support Knowledge Center.

An expired Citrix Gateway certificate prevents users from enrolling and accessing the Store. The expired certificate also prevents users from connecting to Exchange Server when using Secure Mail. In addition, users cannot enumerate and open HDX apps (depending on which certificate expired).

The Expiry Monitor and Command Center can help you to track your Citrix Gateway certificates. The Center notifies you when the certificate expires. These tools assist to monitor the following Citrix Gateway certificates:

  • SSL Certificate for MDM FQDN
  • SSL Certificate for Gateway FQDN
  • SSL Certificate for ShareFile SZC FQDN
  • SSL Certificate for Exchange Load Balancing (offload configuration)
  • SSL Certificate for StoreFront Load Balancing
  • Root and Intermediate CA Certificates for the preceding certificates
Upload and renew certificates