Product Documentation

Uploading Certificates in XenMobile

May 01, 2015
Certificates are used functionally by the XenMobile server. You upload the certificates to XenMobile through the Certificates area of the XenMobile console. These certificates include Certificate Authority (CA) certificates, Registration Authority (RA) certificates, and certificates for client authentication with other components of your infrastructure. In addition, you may use the Certificates area as a storage for certificates you want to deploy to devices. This use especially applies to CAs that are used to establish trust on the device.
 
Each certificate you upload is represented by an entry in the Certificates table, summarizing its contents. When you configure PKI integration components that require a certificate, you are prompted to choose from a list of the server certificates that satisfy the context-dependent criteria. For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the Microsoft CA should be authenticated using a client certificate.
 

Private Key Requirements

XenMobile may or may not possess the private key for a given certificate. Likewise, XenMobile may or may not require a private key for certificates you upload.

Uploading Certificates to the Console

You can upload the CA certificate (without the private key) that the CA uses to sign requests, and you can upload an SSL client certificate (with the private key) for client authentication. When configuring the Microsoft CA entity, you need to specify the CA certificate, which you can then select from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which XenMobile has the private key.

XenMobile supports the following input formats for certificates:

  • PEM or DER-encoded certificate files
  • PEM or DER-encoded certificate files with associated PEM or DER-encoded private key file
  • PKCS#12 keystores (P12; also known as PFX on Windows)

To import a keystore

Keystores, by design, can contain multiple entries. When loading from a keystore, therefore, you are prompted to specify the entry alias identifying the entry you want to load. If you do not specify an alias, the first entry from the store is loaded. Because PKCS#12 files usually contain only one entry, the alias field does not appear when you select PKCS#12 as the keystore type.

  1. In the XenMobile console, click Configure > Settings > Certificates.

     


     

  2. On the Certificates page, click Import.

     


     

    The Import dialog box appears.

  3. In the Import dialog box, in Import, click Keystore.

     


     

    The Import dialog box changes to reflect available keystore options, as shown in the preceding figure.

  4. In Keystore type, click PKCS#12.
  5. In Use as, click how you will use the keystore. The available options are:
    • Server. Server certificates are certificates used functionally by the XenMobile server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you may use server certificates as a storage for certificates you want to deploy to devices. This use especially applies to CAs used to establish trust on the device.
    • SAML. Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
    • APNs. Apple Push Notification service (APNs) certificates from Apple enable mobile device management via the Apple Push Network.
    • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.
  6. Browse to find the keystore you want to import.
  7. In Password, type the password assigned to the certificate.
  8. Type a description for the keystore, optionally, to help you distinguish it from your other keystores.
  9. Click Import. The keystore is added to the Certificates table.

To import a certificate

When importing a certificate, either from a file or a keystore entry, XenMobile attempts to construct a certificate chain from the input, and imports all certificates in that chain (creating a server certificate entry for each). This operation only works if the certificates in the file or keystore entry really do form a chain, such as if each subsequent certificate in the chain is the issuer of the previous certificate.

You can add an optional description for the imported certificate for heuristic purposes. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.

  1. In the XenMobile console, click Configure > Settings > Certificates.
  2. On the Certificates page, click Import. The Import dialog box appears.
  3. In the Import dialog box, in Import, if it is not already selected, click Certificate.

     


     

    The Import dialog box changes to reflect available certificate options.

  4. In Use as, click how you will use the keystore. The available options are:
    • Server. Server certificates are certificates used functionally by the XenMobile server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you may use server certificates as a storage for certificates you want to deploy to devices. This option especially applies to CAs used to establish trust on the device.
    • SAML. Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
    • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.
  5. Browse to find the certificate you want to import.
  6. Browse to find an optional private key file for the certificate. The private key is used for encryption and decryption in conjunction with the certificate.
  7. Type a description for the certificate, optionally, to help you identify it from your other certificates.
  8. Click Import. The certificate is added to the Certificates table.

Updating a Certificate

XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported certificate, you have the option to either replace the existing entry or to delete the entry.

To most effectively update your certificates, in the XenMobile console, under Configure > Settings > Certificates, in the Import dialog box, import the new certificate. When you update a server certificate, components that were using the previous certificate automatically switch to using the new certificate. Likewise, if you have deployed the server certificate on devices, the certificate automatically updates on the next deployment.