Product Documentation

Server Certificates

Apr 16, 2015

Server certificates are certificates used functionally by the XenMobile server that are uploaded into the Device Manager web console in the PKI integration section of the Options dialog box. They include CA (Certificate Authority) certificates, RA (Registration Authority) certificates, certificates for client authentication with other components of your infrastructure. In addition, you may use it as a storage for certificates you wish to deploy to devices. This will especially apply to CAs used to establish trust on the device.

XenMobile may or may not possess the private key for a given certificate. For some certain usages, XenMobile will require the private key, whereas for others, it will not. Each certificate you upload will be represented by an entry in the Server Certificates table, summarizing its contents. Later on, when you configure PKI integration components that require a certificate, you will be prompted to choose from a list of those Server Certificates that satisfy the context-dependent criteria.

For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the Microsoft CA should be authenticated using a client certificate.

You can upload the CA certificate (without the private key) the CA will use to sign requests, and an SSL client certificate (with the private key) client authentication. When configuring the Microsoft CA entity, you need specify the CA certificate, which you can then select from a drop-down list with all Server Certificates that are CA certificates (context-dependent criterion). Likewise, when configuring client authentication, you can select from a drop-down list with all the Server Certificates for which XenMobile has the private key (context-dependent criterion).

About XenMobile PKI

The XenMobile Public Key Infrastructure (PKI) Integration feature allows you to manage the distribution and life-cycle of security certificates used on your devices with great flexibility.

The main feature of the system is the PKI Entity. A PKI entity models back-end component for PKI operations. That component may be either local to XenMobile (internal) or a part of your corporate infrastructure (external, such as a Microsoft, RSA, or OpenTrust PKI). The PKI entity handles the back-end certificate issuance and revocation. It is the authoritative source for the certificate’s status. The XenMobile configuration will normally contain exactly one PKI Entity per back-end PKI component.

The second feature is the Credential Provider. A Credential Provider is a particular configuration of certificate issuance and life-cycle. It will control things like the certificate’s format (subject, key, algorithms) and the conditions for its renewal or revocation, if any. The Credential Providers delegate operations to the PKI Entities. In other words, while Credential Providers control when and with what data PKI operations are undertaken, PKI Entities control how those operations are performed. The XenMobile configuration will normally contain many Credential Provider per PKI Entity.

The third feature of the system are Server Certificates. Server Certificates are X.509 certificates used functionally by the PKI Entity or the Credential Provider configurations.

To import a server certificate

XenMobile supports the following input formats for certificates:

  • PEM or DER-encoded certificate files
  • PEM or DER-encoded certificate files with associated PEM or DER-encoded private key file
  • PKCS#12 key stores (P12; also known as PFX on Windows)
  • Java Key Store (JKS) and Extended Java Key Store (EJKS)

Key stores, by design, can contain multiple entries, so when you loading from a key store, you will be prompted to specify the entry alias identifying the entry you wish to load. If you do not specify an alias, the first entry from the store will be loaded. Since PKCS12 files usually contain only one entry, you should leave the alias empty for those files.

When importing a certificate, either from a file or a key store entry, XenMobile will attempt to construct a certificate chain from the input, and will import all certificates in that chain (creating a Server Certificate entry for each). This will only work if the certificates in the file or key store entry really do form a chain, such as if each subsequent certificate in the chain is the issuer of the previous one. You can add an optional description for the imported certificate for heuristic purposes. The description will only be attached to the first certificate in the chain (you can update the description of the remainders later on).

  1. From the Device Manager web console, click Options.
  2. In the XenMobile Server Options dialog box, from the left side select PKI > Server Certificate.
  3. Click Upload Certificate to import a certificate.
  4. From the Certificate Type list, select either Certificate or Keystore.
  5. Next, click Choose File to select a certificate.
  6. Next, click Choose File to select a private key file for the certificate.
  7. Enter an optional description, and then click Upload.

Updating a Certificate

XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported one, you will be presented with the option to either replace the existing entry or to delete it.

To most effectively update your certificates, simply upload the new one in the Device Manager web console's Options dialog box, under PKI > Certificates. When a Server Certificate entry is updated, components that were using the previous one will automatically switch to using the new one. Likewise, if you have deployed the Server Certificate on devices, it will automatically be updated on the next deployment.