Product Documentation

Common PKI Concepts

Dec 21, 2015
Regardless of its type, every PKI Entity is said to have a subset of the following capabilities:
  • sign Issuing a new certificate, based on a Certificate Signing Request.
  • fetch Recovering an existing certificate and key pair.
  • revoke Revoking a client certificate.
Table 1. PKI Capabilities
PKI Type Capability
Discretionary Sign
PKI The adapter is capable of taking Certificate Signing Requests, transmitting them to the PKI and returning newly signed certificates.
Microsoft Sign

About CA Certificates

When configuring a PKI entity, you will have to inform XenMobile which CA certificate is going to be the signer of certificates issued by (or recovered from) that entity. One and the same PKI entity may return (fetched or newly signed) certificates signed by any number of different CAs; the certificate of each of these CAs will have to be provided as part of the PKI entity configuration, by uploading it to the Server Certificates repository and then referencing them in the PKI entity. For discretionary CAs, this will implicitly be the signing CA certificate, but for external entities, you will have to specify it manually.

Note: XenMobile will verify that the actual issuer of a certificate newly obtained through a sign or fetch operation matches the purported, configured issuer. An error will be raised if this is not the case.