Upload, update, and renew certificates 编辑
We recommend that you list the certificates needed for your Endpoint Management deployment. Use the list to track the certificate expiration dates and passwords. This article helps you administer certificates throughout their lifespan.
Your environment might include the following certificates:
- Endpoint Management server
- SSL Certificate for MDM FQDN (needed if you migrated from XenMobile Server to Endpoint Management; otherwise, Citrix manages this certificate)
- SAML Certificate (for Citrix Files)
- Root and Intermediate CA Certificates for the preceding certificates and any other internal resources (StoreFront/Proxy, and so on)
- APNs Certificate for iOS Device Management
- PKI User Certificate for connectivity to PKI (required if your environment requires certificate-based authentication)
- MDX Toolkit
- Apple Developer Certificate
- Apple Provisioning Profile (per application)
- Apple APNs Certificate (for use with Citrix Secure Mail)
- Android Keystore File
The MAM SDK doesn’t wrap apps, so it doesn’t require a certificate.
- Citrix Gateway
- SSL Certificate for MDM FQDN
- SSL Certificate for Gateway FQDN
- SSL Certificate for ShareFile SZC FQDN
- SSL Certificate for Exchange Load Balancing (offload configuration)
- SSL Certificate for StoreFront Load Balancing
- Root and Intermediate CA Certificates for the preceding certificates
Note:
The client device must have the required root/intermediate certificate to establish trust with the certificate authority who issued the server certificate. Otherwise, you may receive SSL Error 61. To resolve the issue:
- Download or obtain the SSL root/intermediate certificate file (.crt or .cer) issued by your SSL certificate provider. Usually the root/intermediate/server certificate is present in the certificate bundle provided by your SSL service provider.
- Install the root/intermediate certificate on the client device.
- If an antivirus is installed on the client device, ensure the antivirus trusts the certificate.
Upload certificates
Each certificate you upload has an entry in the Certificates table, including a summary of its contents. When you configure PKI integration components that require a certificate, choose a server certificate to satisfy the criteria. For example, you might want to configure Endpoint Management to integrate with your Microsoft certificate authority (CA). The connection to the Microsoft CA must be authenticated by using a client certificate.
Endpoint Management might not possess the private key for a given certificate. Likewise, Endpoint Management might not require a private key for uploaded certificates.
This section provides general procedures for uploading certificates. For details about creating, uploading, and configuring client certificates, see Client certificate or certificate plus domain authentication.
You have two options for uploading certificates:
- Upload the certificates to the console individually.
- Perform a bulk upload of certificates using the REST API. This option is available for iOS devices only.
When uploading certificates to the console, you can:
- Import a keystore. Then, you identify the entry in the keystore repository you want to install, unless you are uploading a PKCS #12 format.
- Import a certificate.
You can upload the CA certificate (without the private key) that the CA uses to sign requests. You can also upload an SSL client certificate (with the private key) for client authentication.
When configuring the Microsoft CA entity, you specify the CA certificate. You select the CA certificate from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which Endpoint Management has the private key.
To import a keystore
A keystore is a repository of security certificates. By design, keystores can contain multiple entries. When loading from a keystore, you must specify the entry alias that identifies the entry you want to load. If you don’t specify an alias, the first entry from the store loads. Because PKCS #12 files usually contain only one entry, the alias field doesn’t appear when you select PKCS #12 as the keystore type.
In the Endpoint Management console, click the gear icon in the upper-right corner of the console. Use the search bar to find and open the Certificates setting.
Click Import. The Import dialog box appears.
Configure these settings:
- Import: Select Keystore.
- Keystore type: In the list, click PKCS #12.
- Use as: In the list, click how you plan to use the certificate. The available options are:
- Server: Server certificates are certificates used functionally by Endpoint Management. You upload server certificates to the Endpoint Management web console. Those certificates include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This use especially applies to CAs used to establish trust on the device.
- SAML: Security Assertion Markup Language (SAML) certification allows you to provide SSO access to servers, websites, and apps.
- APNs: APNs certificates from Apple enable mobile device management via the Apple Push Network.
- SSL Listener: The Secure Sockets Layer (SSL) Listener notifies Endpoint Management of SSL cryptographic activity.
- Keystore file: Browse to find the keystore you want to import. The keystore is a .p12 or .pfx file. Select the file and click Open.
- Password: Type the password assigned to the certificate.
- Description: Optionally, type a description for the keystore to help you distinguish it from your other keystores.
Click Import. The keystore is added to the Certificates table.
To import a certificate
When importing a certificate, Endpoint Management attempts to construct a certificate chain from the input. Endpoint Management imports all certificates in a chain to create a server certificate entry for each certificate. This operation only works if the certificates in the file or keystore entry do form a chain. Each subsequent certificate in the chain must be the issuer of the previous certificate.
You can add an optional description for the imported certificate. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.
In the Endpoint Management console, click the gear icon in the upper-right corner of the console. Use the search bar to find and open the Certificates setting.
On the Certificates page, click Import. The Import dialog box appears. Configure the following:
- Import: click Certificate.
- Use as: Select how you plan to use the certificate. The available options are:
- Server: Server certificates are certificates used functionally by Endpoint Management. You upload server certificates to the Endpoint Management web console. Those certificates include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you can use server certificates as storage for certificates you want to deploy to devices. This option especially applies to CAs used to establish trust on the device.
- SAML: Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
- SSL Listener: The Secure Sockets Layer (SSL) Listener notifies Endpoint Management of SSL cryptographic activity.
- Certificate import: Browse to find the certificate you want to import. Select the file and click Open.
- Private key file: Browse to find an optional private key file for the certificate. The private key is used for encryption and decryption along with the certificate. Select the file and click Open.
- Description: Type a description for the certificate, optionally, to help you identify it from your other certificates.
Click Import. The certificate is added to the Certificates table.
Upload certificates in bulk using the REST API
Sometimes uploading certificates one at a time isn’t reasonable. In those cases, perform a bulk upload of certificates using the REST API. This method supports certificates in the .p12 format. For more information about the REST API, see REST APIs.
Rename each of the certificate files in the format
device_identity_value.p12
. Thedevice_identity_value
can be the IMEI, Serial Number, or MEID of each device.As an example, you choose to use serial numbers as your identification method. One device has a serial number
A12BC3D4EFGH
, so name the certificate file you expect to install on that deviceA12BC3D4EFGH.p12
.Create a text file to store tha passwords for the .p12 certificates. In that file, type the device identifier and password for each device on a new line. Use the format
device_identity_value=password
. See the following:A12BC3D4EFGH.p12=password1! A12BC3D4EFIJ.p12=password2@ A12BC3D4EFKL.p12=password3# <!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论