To replace the default certificate that comes with XenMobile with a 3rd party one, from say Digicert, there are a couple of steps that you need to take. None of these are hard, but are not well documented anywhere. First you need to have a PFX file that has your root CA, intermediate CA and regular certificate included in it. It should also be protected by a password. The easy way to create this is to use an existing windows server that has the certificate installed. Open of the Certificate snapin and browse to the local computer.
The following was done with XenMobile 8.6 but also applies to XenMobile 8.5. It was also done with a wildcard certificate but the process should be the same for a SAN or regular certificate.
Navigate to Personal->Certificates. As you can see I have the following certificate that I want to export:
Click on the Details tab, and select copy to file
Select Yes, export the private key
Select the option to Include all certificates in the certification path if possible
Enter in a password to secure the file, and finally export:
Copy that file to the XenMobile Device Manager Server. In our example we will copy it to a folder on the C drive called ExternalSSL. Rename the extension to be p12 instead of pfx:
Next, to make your life easy, download the certificate utility from Digicert at https://www.digicert.com/util/. When you run it you’ll get the following screen, and select Import in the upper right:
Browse to, and select the certificate we copied over earlier:
Next you need to enter the same password you put in when you exported the certificate above:
Enter a friendly name for the certificate. This is simply so you can better label it:
Select Finish, and you should get a message that the import was successful:
Now on the device manager server, navigate to the tomcat directory, which if your on an x64 server is the following path:
C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat
We have to edit two files. The first one is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF\classes\pki.xml
Open the file in WordPad. At the bottom of the file, but before the </beans> section paste the following info:
<bean id=”externalSslCert” class=”com.sparus.nps.pki.def.KeyStoreParams” p:keyStoreType=”PKCS12″ p:keyStorePath=“C:\ExternalSSL\xenmobile.p12” p:entryAlias=”” p:keyStorePass=“password” p:publiclyTrusted=”true” /> |
Note the highlighted sections. The first is the path to the certificate file, the next is the password from when we exported it.
Save and close the file.
The next file we are going to edit is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml
Again open the file in wordpad.
Find the following section, and replace the highlighted section to match the same as above
<Connector clientAuth=”want” /> |
Still in server.xml, do the same with the following section:
<Connector
port=”8443″
maxHttpHeaderSize=”8192″
maxThreads=”20″
enableLookups=”false”
redirectPort=”-1″
acceptCount=”100″
connectionTimeout=”30000″
disableUploadTimeout=”true”
maxKeepAliveRequests=”-1″
protocol=”org.apache.coyote.http11.Http11NioProtocol”
scheme=”https”
secure=”true”
clientAuth=”false”
SSLEnabled=”true”
truststoreFile=”C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks”
truststoreType=”JKS”
truststorePass=”notMeaningFul”
keystoreFile=”C:\ExternalSSL\xenmobile.p12″
keystorePass=”password”
keystoreType=”PKCS12″
ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384″
/>
Save and close the file.
Now, restart the XenMobile Device Manager service:
After browse to https://localhost/zdm on the Device Manager and you should be able to validate that your certificate was installed. Note that the tomcat service does spend some time with heavy CPU after a restart and it may be a minute or two until the page comes up:
Now all thats left is to publish it in DNS!