Product Documentation

To replace the default XenServer SSL certificate

Nov 22, 2010

Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority:

  1. Modify /etc/pki/tls/openssl.cnf as follows:
    1. Request extensions by uncommenting the following line:
      req_extensions = v3_req
    2. Modify the section for requested sections to read as follows:
      basicConstraints = CA:FALSE 
      keyUsage = keyEncipherment 
      extendedKeyUsage = serverAuth
  2. Generate a certificate request: openssl genrsa -out [servername].private 2048 openssl req -new -outform PEM -out [servername].request -keyform PEM -key [servername].private -days 365 where [servername] is the name of the XenServer host. This generates a request for a 1 year (365 day) certificate in the file called [servername].request.
  3. Have the certificate request contained in [server name].request signed by a certificate authority. This can be either a commercial certificate authority or an internal corporate certificate authority such as Microsoft Certificate Services.
  4. After the new certificate has been signed, move the existing certificate: mv/etc/xensource/xapi -ssl.pem/etc/xensource/xapi -ssl.pem_orig
  5. Add the new signed certificate to the XenServer host and tighten the access rights: cat [servername].public [servername].private > [servername].pem install -m 0400 [servername].pem/etc/xensource/xapi-ssl.pem
  6. Edit the file /etc/init.d/xapissl, using the line: PEMFILE=“/etc/ssl/certs/[servername].pem”
  7. Restart the XenServer communications service by entering the following command: /etc/init.d/xapissl restart
If you are using a private certificate authority you may need to install your root certificate on the controller.

To install a certificate on the controller

  1. Locate the root certificate file in Windows Explorer.
  2. Right-click the root certificate file and select Install Certificate. The Certificate Manager Install Wizard appears.
  3. On the Welcome page, click Next.
  4. On the Certificate Store page, select Place all certificates in the following store.
  5. Click Browse.
  6. Select Show physical stores.
  7. Select Local Computer.
  8. Click OK.
  9. Follow the instructions in the wizard to complete the install.