XenServer

Certificate verification

April 16, 2024

Contributed by:

When certificate verification is enabled for a pool, all TLS communication endpoints on its management network use certificates to validate the identity of their peers before transmitting confidential information.

Behavior

Connections initiated by a XenServer host on the management network require the destination endpoint to provide a TLS certificate to verify its identity. This requirement affects the following items that are part of the pool or interact with the pool:

Hosts in the pool
XenCenter
Third-party clients that use the API

Certificate verification is compatible with both the self-signed certificates provided by XenServer and user-installed certificates signed by a trusted authority. For more information, see Install a TLS certificate on your host.

Each XenServer host in a pool has two certificates that identify it:

Pool-internal identity certificates are used to secure communications between hosts within the pool. For communication within the pool, XenServer always uses self-signed certificates.
Server identity certificates are used to verify the identity of a XenServer host to any client applications that communicate with the pool on the management network. For communication between the host and a client application, you can use self-signed certificates or you can install your own TLS certificates on your hosts.

When a host first joins the pool or a client first makes a connection to the pool, the pool trusts the connection. During this first connection, certificates are exchanged between the pool and the joining host or the connecting client. For all subsequent communications by this host or client on the management network, the certificates are used to verify the identity of the parties involved in the communication.

We recommend that you enable certificate verification on all your hosts and pools. For a XenServer host to successfully join a pool, both the host and the pool must have certificate verification either enabled or disabled. If certificate verification is enabled on one and not the other, the join operation is not successful. XenCenter provides a warning message that advises you to enable certificate verification on the pool or on the joining host.

When a host leaves a pool with certificate verification enabled, both the host and the pool delete the certificates that relate to the other.

The Workload Balancing virtual appliance can be used with certificate verification. You must ensure that the Workload Balancing self-signed certificates are installed into your XenServer host.

The XenServer Conversion Manager virtual appliance does not connect to XenServer hosts and so is exempt from the certification checking requirement when it acts as a TLS client end point.

Enabling certificate verification for your pool

Certificate verification is enabled by default on fresh installations of XenServer 8 and later. If you upgrade from an earlier version of XenServer or Citrix Hypervisor, certificate verification is not enabled automatically and you must enable it. XenCenter prompts you to enable certificate verification the next time you connect to the upgraded pool.

Before enabling certificate verification on a pool, ensure that no operations are running in the pool.

Enable by using XenCenter

XenCenter provides several ways to enable certificate verification.

When first connecting XenCenter to a pool without certificate verification enabled, you are prompted to enable it. Click Yes, Enable certificate verification.
In the Pool menu, select Enable Certificate Verification.
On the General tab of the pool, right-click the entry Certificate Verification and choose Enable Certificate Verification from the menu.

Enable by using the xe CLI

To enable certificate verification for a pool, run the following command in the console of a host in the pool:

xe pool-enable-tls-verification

Managing certificates

You can install, view information about, and reset the certificates that are used to verify the identity of a host.

Installing certificates

You can install your own TLS certificate for the host to present as its identity certificate when receiving connections from client applications on the management network.

For more information, see Install a TLS certificate on your host.

Viewing certificate information

To find out whether a pool has certificate verification enabled:

In XenCenter, look in the General tab for the pool. The General section has an entry for Certificate Verification which shows whether certificate verification is enabled or disabled. This tab also contains a Certificates section that lists the name, validity, and thumbprint for the CA certificates.
With the xe CLI, you can run the following command:
```
 xe pool-param-get uuid=<pool_uuid> param-name=tls-verification-enabled
```
If certificate verification is enabled, the line tls-verification-enabled ( RO): true appears in the command output.

To view information about the certificates on a XenServer host:

In XenCenter, go to the General tab for that host. The Certificates section shows the thumbprint and the validity dates for the server identity certificate and the pool-internal identity certificate.
With the xe CLI, you can run the following command:
```
 xe certificate-list
```

Refreshing pool-internal identity certificates

You can refresh the pool-internal identity certificate by using the xe CLI:

Find the UUID of the host whose certificate you want to reset by running the following command:
```
xe host-list
```
To reset the certificate, run the following command:
```
xe host-refresh-server-certificate host=<host_uuid>
```
Note:

Any host selector parameter can be used with this command to indicate the host to reset the certificate on.

Resetting server identity certificates

You can reset the server identity certificate from XenCenter or the xe CLI. Resetting a certificate deletes the certificate from the host and installs a new self-signed certificate in its place.

To reset a certificate in XenCenter:

Go to the General tab for the host.
In the Certificates section, right-click on the certificate you want to reset.
From the menu, select Reset Certificate.
In the dialog that appears, click Yes to confirm the certificate reset.

Alternatively, in the Server menu, you can go to Certificates > Reset Certificate.

When you reset a certificate, any existing connections to the XenServer host are disconnected — including the connection between XenCenter and the host. XenCenter reconnects automatically to the host after a certificate reset.

To reset a certificate by using the xe CLI:

Find the UUID of the host whose certificate you want to reset by running the following command:
```
xe host-list
```
To reset the certificate, run the following command:
```
xe host-reset-server-certificate host=<host_uuid>
```
Note:

Any host selector parameter can be used with this command to indicate the XenServer host to reset the certificate on.

Expiry alerts

XenCenter shows alerts in the Notifications view when your server identity certificates, pool-internal identity certificates, or pool CA certificates are close to their expiry date.

Temporarily disabling certificate verification

We do not recommend that you disable certificate verification after it has been enabled on a host or pool. However, XenServer provides commands that can be used to disable certificate verification on a per host basis when troubleshooting problems with certificates.

To temporarily disable certificate verification, run the following command on the host console:

xe host-emergency-disable-tls-verification

XenCenter shows an alert in the Notifications view when certificate verification is disabled on a host in a pool where the feature is enabled.

After you have resolved any issues with certificates on the host, ensure that you enable certificate verification on it again. To enable certificate verification again, run the following command on the host console:

xe host-emergency-reenable-tls-verification

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Certificate verification

April 16, 2024

Contributed by:

April 16, 2024

Contributed by:

Certificate verification

Behavior

Enabling certificate verification for your pool

Enable by using XenCenter

Enable by using the xe CLI

Managing certificates

Installing certificates

Viewing certificate information

Refreshing pool-internal identity certificates

Resetting server identity certificates

Expiry alerts

Temporarily disabling certificate verification

In this article