Private Key Requirements
XenMobile may or may not possess the private key for a given certificate. Likewise, XenMobile may or may not require a private key for certificates you upload.
Uploading Certificates to the Console
You can upload the CA certificate (without the private key) that the CA uses to sign requests, and you can upload an SSL client certificate (with the private key) for client authentication. When configuring the Microsoft CA entity, you need to specify the CA certificate, which you can then select from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which XenMobile has the private key.
XenMobile supports the following input formats for certificates:
Keystores, by design, can contain multiple entries. When loading from a keystore, therefore, you are prompted to specify the entry alias identifying the entry you want to load. If you do not specify an alias, the first entry from the store is loaded. Because PKCS#12 files usually contain only one entry, the alias field does not appear when you select PKCS#12 as the keystore type.
The Import dialog box appears.
The Import dialog box changes to reflect available keystore options, as shown in the preceding figure.
When importing a certificate, either from a file or a keystore entry, XenMobile attempts to construct a certificate chain from the input, and imports all certificates in that chain (creating a server certificate entry for each). This operation only works if the certificates in the file or keystore entry really do form a chain, such as if each subsequent certificate in the chain is the issuer of the previous certificate.
You can add an optional description for the imported certificate for heuristic purposes. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.
The Import dialog box changes to reflect available certificate options.
XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported certificate, you have the option to either replace the existing entry or to delete the entry.
To most effectively update your certificates, in the XenMobile console, under Configure > Settings > Certificates, in the Import dialog box, import the new certificate. When you update a server certificate, components that were using the previous certificate automatically switch to using the new certificate. Likewise, if you have deployed the server certificate on devices, the certificate automatically updates on the next deployment.