Product Documentation

Server Certificates

Dec 21, 2015

Server certificates are certificates used functionally by the XenMobile server that are uploaded into the Device Manager web console in the PKI integration section of the Options dialog box. They include CA (Certificate Authority) certificates, RA (Registration Authority) certificates, certificates for client authentication with other components of your infrastructure. In addition, you may use it as a storage for certificates you wish to deploy to devices. This will especially apply to CAs used to establish trust on the device.

XenMobile may or may not possess the private key for a given certificate. For some certain usages, XenMobile will require the private key, whereas for others, it will not. Each certificate you upload will be represented by an entry in the Server Certificates table, summarizing its contents. Later on, when you configure PKI integration components that require a certificate, you will be prompted to choose from a list of those Server Certificates that satisfy the context-dependent criteria.

For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the Microsoft CA should be authenticated using a client certificate.

You can upload the CA certificate (without the private key) the CA will use to sign requests, and an SSL client certificate (with the private key) client authentication. When configuring the Microsoft CA entity, you need specify the CA certificate, which you can then select from a drop-down list with all Server Certificates that are CA certificates (context-dependent criterion). Likewise, when configuring client authentication, you can select from a drop-down list with all the Server Certificates for which XenMobile has the private key (context-dependent criterion).

To import a server certificate

XenMobile supports the following input formats for certificates:

  • PEM or DER-encoded certificate files
  • PEM or DER-encoded certificate files with associated PEM or DER-encoded private key file
  • PKCS#12 key stores (P12; also known as PFX on Windows)
  • Java Key Store (JKS) and Extended Java Key Store (EJKS)

Key stores, by design, can contain multiple entries, so when you loading from a key store, you will be prompted to specify the entry alias identifying the entry you wish to load. If you do not specify an alias, the first entry from the store will be loaded. Since PKCS12 files usually contain only one entry, you should leave the alias empty for those files.

When importing a certificate, either from a file or a key store entry, XenMobile will attempt to construct a certificate chain from the input, and will import all certificates in that chain (creating a Server Certificate entry for each). This will only work if the certificates in the file or key store entry really do form a chain, such as if each subsequent certificate in the chain is the issuer of the previous one. You can add an optional description for the imported certificate for heuristic purposes. The description will only be attached to the first certificate in the chain (you can update the description of the remainders later on).

  1. From the Device Manager web console, click Options.
  2. In the XenMobile Server Options dialog box, from the left side select PKI > Server Certificate.
  3. Click Upload Certificate to import a certificate.
  4. From the Certificate Type list, select either Certificate or Keystore.
  5. Next, click Choose File to select a certificate.
  6. Next, click Choose File to select a private key file for the certificate.
  7. Enter an optional description, and then click Upload.

Updating a Certificate

XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported one, you will be presented with the option to either replace the existing entry or to delete it.

To most effectively update your certificates, simply upload the new one in the Device Manager web console's Options dialog box, under PKI > Certificates. When a Server Certificate entry is updated, components that were using the previous one will automatically switch to using the new one. Likewise, if you have deployed the Server Certificate on devices, it will automatically be updated on the next deployment.