Import a 3rd Party Certificate Into XenMobile

ActiveSync, Blackberry, Xenmobile

To replace the default certificate that comes with XenMobile with a 3rd party one, from say Digicert, there are a couple of steps that you need to take.  None of these are hard, but are not well documented anywhere.  First you need to have a PFX file that has your root CA, intermediate CA and regular certificate included in it.  It should also be protected by a password.  The easy way to create this is to use an existing windows server that has the certificate installed.  Open of the Certificate snapin and browse to the local computer.

The following was done with XenMobile 8.6 but also applies to XenMobile 8.5.  It was also done with a wildcard certificate but the process should be the same for a SAN or regular certificate.

 

Navigate to Personal->Certificates.  As you can see I have the following certificate that I want to export:

 

first 

Click on the Details tab, and select copy to file

second to last

Select Yes, export the private key

image

 

Select the option to Include all certificates in the certification path if possible

image

Enter in a password to secure the file, and finally export:

image

Copy that file to the XenMobile Device Manager Server.  In our example we will copy it to a folder on the C drive called ExternalSSL.  Rename the extension to be p12 instead of pfx:

image

Next, to make your life easy, download the certificate utility from Digicert at https://www.digicert.com/util/.  When you run it you’ll get the following screen, and select Import in the upper right:

image

Browse to, and select the certificate we copied over earlier:

image

Next you need to enter the same password you put in when you exported the certificate above:

image

Enter a friendly name for the certificate.  This is simply so you can better label it:

 

digit

Select Finish, and you should get a message that the import was successful:

image

 

Now on the device manager server, navigate to the tomcat directory, which if your on an x64 server is the following path:

C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat

We have to edit two files.  The first one is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF\classes\pki.xml

Open the file in WordPad.  At the bottom of the file, but before the </beans> section paste the following info:

<bean id=”externalSslCert” class=”com.sparus.nps.pki.def.KeyStoreParams”

p:keyStoreType=”PKCS12″

p:keyStorePath=“C:\ExternalSSL\xenmobile.p12”

p:entryAlias=””

p:keyStorePass=“password”

p:publiclyTrusted=”true”

/>

Note the highlighted sections.  The first is the path to the certificate file, the next is the password from when we exported it. 

Save and close the file.

The next file we are going to edit is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml

Again open the file in wordpad. 

Find the following section, and replace the highlighted section to match the same as above

<Connector
            port=”443″
            maxHttpHeaderSize=”8192″
            maxThreads=”400″
            enableLookups=”false”
            redirectPort=”-1″
            acceptCount=”100″
            connectionTimeout=”30000″
            disableUploadTimeout=”true”
            maxKeepAliveRequests=”-1″
            protocol=”org.apache.coyote.http11.Http11NioProtocol”
            scheme=”https”
            secure=”true”

            clientAuth=”want”
            SSLEnabled=”true”
            truststoreFile=”C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks”
            truststoreType=”JKS”
            truststorePass=”notMeaningFul”
            keystoreFile=”C:\ExternalSSL\xenmobile.p12″
            keystorePass=”password”
            keystoreType=”PKCS12″
            ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384″

        />

 

Still in server.xml, do the same with the following section:

<Connector
            port=”8443″
            maxHttpHeaderSize=”8192″
            maxThreads=”20″
            enableLookups=”false”
            redirectPort=”-1″
            acceptCount=”100″
            connectionTimeout=”30000″
            disableUploadTimeout=”true”
            maxKeepAliveRequests=”-1″
            protocol=”org.apache.coyote.http11.Http11NioProtocol”
            scheme=”https”
            secure=”true”

            clientAuth=”false”
            SSLEnabled=”true”
            truststoreFile=”C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks”
            truststoreType=”JKS”
            truststorePass=”notMeaningFul”
           keystoreFile=”C:\ExternalSSL\xenmobile.p12″
            keystorePass=”password”

            keystoreType=”PKCS12″
            ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384″

        />

Save and close the file.

Now, restart the XenMobile Device Manager service:

image

After browse to https://localhost/zdm on the Device Manager and you should be able to validate that your certificate was installed.  Note that the tomcat service does spend some time with heavy CPU after a restart and it may be a minute or two until the page comes up:

image

Now all thats left is to publish it in DNS!

Comments;

  1. Pingback: XenMobile Device Manager and SAN Certificates | XenDesktop Guy

  2. Pingback: How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 2 | Exchange for the Working Man

Leave a Reply

Your email address will not be published. Required fields are marked *