XenMobile Server

PKI entities

A XenMobile Public Key Infrastructure (PKI) entity configuration represents a component doing actual PKI operations (issuance, revocation, and status information). These components are either internal or external to XenMobile. Internal components are referred to as discretionary. External components are part of your corporate infrastructure.

XenMobile supports the following types of PKI entities:

  • Microsoft Certificate Services

  • Discretionary Certificate Authorities (CAs)

XenMobile supports the following CA servers:

  • Windows Server 2019
  • Windows Server 2016

Note:

Windows Servers 2012 R2, 2012, and 2008 R2 are no longer supported as they have reached end of life. For more information, see Microsoft products life cycle documentation.

Common PKI concepts

Regardless of its type, every PKI entity has a subset of the following capabilities:

  • Sign: Issuing a new certificate, based on a Certificate Signing Request (CSR).
  • Fetch: Recovering an existing certificate and key pair.
  • Revoke: Revoking a client certificate.

About CA Certificates

When you configure a PKI entity, indicate to XenMobile which CA certificate is the signer of certificates issued by (or recovered from) that entity. That PKI entity can return (fetched or newly signed) certificates signed by any number of different CAs.

Provide the certificate of each of these CAs as part of the PKI entity configuration. To do so, upload the certificates to XenMobile and then reference them in the PKI entity. For discretionary CAs, the certificate is implicitly the signing CA certificate. For external entities, you must specify the certificate manually.

Important:

When you create a Microsoft Certificate Services Entity template, avoid possible authentication issues with enrolled devices: Don’t use special characters in the template name. For example, don’t use: ! : $ ( ) # % + * ~ ? | { } [ ]

Microsoft Certificate Services

XenMobile interfaces with Microsoft Certificate Services through its web enrollment interface. XenMobile only supports the issuing of new certificates through that interface. If the Microsoft CA generates a Citrix Gateway user certificate, Citrix Gateway supports renewal and revocation for those certificates.

To create a Microsoft CA PKI entity in XenMobile, you must specify the base URL of the Certificate Services web interface. If you choose, use SSL client authentication to secure the connection between XenMobile and the Certificate Services web interface.

Add a Microsoft Certificate Services entity

  1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then click PKI Entities.

  2. On the PKI Entities page, click Add.

    A menu of PKI entity types appears.

  3. Click Microsoft Certificate Services Entity.

    The Microsoft Certificate Services Entity: General Information page appears.

  4. On the Microsoft Certificate Services Entity: General Information page, configure these settings:

    • Name: Type a name for your new entity, which you use later to refer to that entity. Entity names must be unique.
    • Web enrollment service root URL: Type the base URL of your Microsoft CA web enrollment service; for example, https://192.0.2.13/certsrv/. The URL can use plain HTTP or HTTP-over-SSL.
    • certnew.cer page name: The name of the certnew.cer page. Use the default name unless you have renamed it for some reason.
    • certfnsh.asp: The name of the certfnsh.asp page. Use the default name unless you have renamed it for some reason.
    • Authentication type: Choose the authentication method that you want to use.
      • None
      • HTTP Basic: Type the user name and password required to connect.
      • Client certificate: Choose the correct SSL client certificate.
  5. Click Test Connection to ensure that the server is accessible. If it is not accessible, a message appears, stating that the connection failed. Check your configuration settings.

  6. Click Next.

    The Microsoft Certificate Services Entity: Templates page appears. On this page, you specify the internal names of the templates your Microsoft CA supports. When creating credential providers, you select a template from the list defined here. Every credential provider using this entity uses exactly one such template.

    For Microsoft Certificate Services template requirements, see the Microsoft documentation for your Microsoft Server version. XenMobile doesn’t have requirements for the certificates it distributes other than the certificate formats noted in Certificates.

  7. On the Microsoft Certificate Services Entity: Templates page, click Add, type the name of the template and then click Save. Repeat this step for each template that you want to add.

  8. Click Next.

    The Microsoft Certificate Services Entity: HTTP parameters page appears. On this page, you specify custom parameters for XenMobile to add to the HTTP request to the Microsoft Web Enrollment interface. Custom parameters are useful only for customized scripts running on the CA.

  9. On the Microsoft Certificate Services Entity: HTTP parameters page, click Add, type the name and value of the HTTP parameters you want to add, and then click Next.

    The Microsoft Certificate Services Entity: CA Certificates page appears. On this page, you must inform XenMobile of the signers of the certificates that the system obtains through this entity. When your CA certificate is renewed, update it in XenMobile. XenMobile applies the change to the entity transparently.

  10. On the Microsoft Certificate Services Entity: CA Certificates page, select the certificates you want to use for this entity.

  11. Click Save.

    The entity appears on the PKI Entities table.

Citrix ADC Certificate Revocation List (CRL)

XenMobile supports Certificate Revocation List (CRL) only for a third-party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses Citrix ADC to manage revocation.

When you configure client certificate-based authentication, consider whether to configure the Citrix ADC Certificate Revocation List (CRL) setting Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device.

XenMobile reissues a new certificate, because it doesn’t restrict a user from generating a user certificate after one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Discretionary CAs

A discretionary CA is created when you provide XenMobile with a CA certificate and the associated private key. XenMobile handles certificate issuance, revocation, and status information internally, according to the parameters you specify.

When configuring a discretionary CA, you can activate Online Certificate Status Protocol (OCSP) support for that CA. If and only if you enable OCSP support, the CA adds the extension id-pe-authorityInfoAccess to the certificates that the CA issues. The extension points to the XenMobile internal OCSP Responder at the following location:

https://<server>/<instance>/ocsp

When configuring the OCSP service, specify an OCSP signing certificate for the discretionary entity in question. You can use the CA certificate itself as the signer. To avoid the unnecessary exposure of your CA private key (recommended): Create a delegate OCSP signing certificate, signed by the CA certificate, and include this extension: id-kp-OCSPSigning extendedKeyUsage.

The XenMobile OCSP responder service supports basic OCSP responses and the following hashing algorithms in requests:

  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512

Responses are signed with SHA-256 and the signing certificate key algorithm (DSA, RSA, or ECDSA).

Add discretionary CAs

  1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then click More > PKI Entities.

  2. On the PKI Entities page, click Add.

    A menu of PKI entity types appears.

  3. Click Discretionary CA.

    The Discretionary CA: General Information page appears.

  4. On the Discretionary CA: General Information page, do the following:

    • Name: Type a descriptive name for the discretionary CA.
    • CA certificate to sign certificate requests: Click a certificate for the discretionary CA to use to sign certificate requests.

      This list of certificates is generated from the CA certificates with private keys you uploaded at XenMobile at Configure > Settings > Certificates.

  5. Click Next.

    The Discretionary CA: Parameters page appears.

  6. On the Discretionary CA: Parameters page, do the following:

    • Serial number generator: The discretionary CA generates serial numbers for the certificates it issues. From this list, click Sequential or Non-sequential to determine how the numbers are generated.
    • Next serial number: Type a value to determine the next number issued.
    • Certificate valid for: Type the number of days the certificate is valid.
    • Key usage: Identify the purpose of the certificates issued by the discretionary CA by setting the appropriate keys to On. Once set, the CA is limited issuing certificates for those purposes.
    • Extended key usage: To add more parameters, click Add, type the key name and then click Save.
  7. Click Next.

    The Discretionary CA: Distribution page appears.

  8. On the Discretionary CA: Distribution page, select a distribution mode:

    • Centralized: server-side key generation. Citrix recommends the centralized option. The private keys are generated and stored on the server and distributed to user devices.
    • Distributed: device-side key generation. The private keys are generated on the user devices. This distributed mode uses SCEP and requires an RA encryption certificate with the keyUsage keyEncryption extension and an RA signing certificate with the keyUsage digitalSignature extension. The same certificate can be used for both encryption and signing.
  9. Click Next.

    The Discretionary CA: Online Certificate Status Protocol (OCSP) page appears.

    On the Discretionary CA: Online Certificate Status Protocol (OCSP) page, do the following:

    • If you want to add an AuthorityInfoAccess (RFC2459) extension to the certificates signed by this CA, set Enable OCSP support for this CA to On. This extension points to the CA OCSP responder at https://<server>/<instance>/ocsp.
    • If you enabled OCSP support, select an OSCP signing CA certificate. This list of certificates is generated from the CA certificates you uploaded to XenMobile.
  10. Click Save.

    The discretionary CA appears on the PKI Entities table.

PKI entities