PKI entities

A XenMobile Public Key Infrastructure (PKI) entity configuration represents a component performing actual PKI operations (issuance, revocation, and status information). These components are either internal or external to XenMobile. Internal components are referred to as discretionary. External components are part of your corporate infrastructure.

XenMobile supports the following types of PKI entities:

• Microsoft Certificate Services

• Discretionary Certificate Authorities (CAs)

XenMobile supports the following CA servers:

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2

Common PKI concepts

Regardless of its type, every PKI entity has a subset of the following capabilities:

• Sign:Issuing a new certificate, based on a Certificate Signing Request (CSR).
• Fetch:Recovering an existing certificate and key pair.
• Revoke:Revoking a client certificate.

About CA Certificates

When you configure a PKI entity, indicate to XenMobile which CA certificate is the signer of certificates issued by (or recovered from) that entity. That PKI entity can return (fetched or newly signed) certificates signed by any number of different CAs.

Provide the certificate of each of these CAs as part of the PKI entity configuration. To do so, upload the certificates to XenMobile and then reference them in the PKI entity. For discretionary CAs, the certificate is implicitly the signing CA certificate. For external entities, you must specify the certificate manually.

Important:

When you create a Microsoft Certificate Services Entity template, avoid possible authentication issues with enrolled devices: Don’t use special characters in the template name. For example, don’t use:! : $ ( ) # % + * ~ ? | { } [ ]

Microsoft Certificate Services

XenMobile interfaces with Microsoft Certificate Services through its web enrollment interface. XenMobile only supports the issuing of new certificates through that interface. If the Microsoft CA generates a Citrix Gateway user certificate, Citrix Gateway supports renewal and revocation for those certificates.

To create a Microsoft CA PKI entity in XenMobile, you must specify the base URL of the Certificate Services web interface. If you choose, use SSL client authentication to secure the connection between XenMobile and the Certificate Services web interface.

Add a Microsoft Certificate Services entity

1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then clickPKI Entities.

2. On thePKI Entitiespage, clickAdd.

   A menu of PKI entity types appears.

3. ClickMicrosoft Certificate Services Entity.

   TheMicrosoft Certificate Services Entity: General Information页面出现。

4. On theMicrosoft Certificate Services Entity: General Informationpage, configure these settings:

   • Name:Type a name for your new entity, which you use later to refer to that entity. Entity names must be unique.
   • Web enrollment service root URL:Type the base URL of your Microsoft CA web enrollment service; for example,https://192.0.2.13/certsrv/. The URL may use plain HTTP or HTTP-over-SSL.
   • certnew.cer page name:The name of the certnew.cer page. Use the default name unless you have renamed it for some reason.
   • certfnsh.asp:The name of the certfnsh.asp page. Use the default name unless you have renamed it for some reason.
   • Authentication type:Choose the authentication method you want to use.
     • None
     • HTTP Basic:Type the user name and password required to connect.
     • Client certificate:Choose the correct SSL client certificate.

5. ClickTest Connectionto ensure that the server is accessible. If it is not accessible, a message appears, stating that the connection failed. Check your configuration settings.

6. ClickNext.

   TheMicrosoft Certificate Services Entity: Templates页面出现。On this page, you specify the internal names of the templates your Microsoft CA supports. When creating credential providers, you select a template from the list defined here. Every credential provider using this entity uses exactly one such template.

   For Microsoft Certificate Services templates requirements, see the Microsoft documentation for your Microsoft Server version. XenMobile doesn’t have requirements for the certificates it distributes other than the certificate formats noted inCertificates.

7. On theMicrosoft Certificate Services Entity: Templatespage, clickAdd, type the name of the template and then clickSave. Repeat this step for each template you want to add.

8. ClickNext.

   TheMicrosoft Certificate Services Entity: HTTP parameters页面出现。在这个页面中,您指定自定义标准ameters for XenMobile to add to the HTTP request to the Microsoft Web Enrollment interface. Custom parameters are useful only for customized scripts running on the CA.

9. On theMicrosoft Certificate Services Entity: HTTP parameterspage, clickAdd, type the name and value of the HTTP parameters you want to add, and then clickNext.

   TheMicrosoft Certificate Services Entity: CA Certificates页面出现。On this page, you must inform XenMobile of the signers of the certificates that the system obtains through this entity. When your CA certificate is renewed, update it in XenMobile. XenMobile applies the change to the entity transparently.

10. On theMicrosoft Certificate Services Entity: CA Certificatespage, select the certificates you want to use for this entity.

11. ClickSave.

    The entity appears on the PKI Entities table.

Citrix ADC Certificate Revocation List (CRL)

XenMobile supports Certificate Revocation List (CRL) only for a third-party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses Citrix ADC to manage revocation.

When you configure client certificate-based authentication, consider whether to configure the Citrix ADC Certificate Revocation List (CRL) setting,Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device.

XenMobile reissues a new certificate, because it doesn’t restrict a user from generating a user certificate after one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Discretionary CAs

A discretionary CA is created when you provide XenMobile with a CA certificate and the associated private key. XenMobile handles certificate issuance, revocation, and status information internally, according to the parameters you specify.

When configuring a discretionary CA, you can activate Online Certificate Status Protocol (OCSP) support for that CA. If, and only if you enable OCSP support, the CA adds the extensionid-pe-authorityInfoAccessto the certificates that the CA issues. The extension points to the XenMobile internal OCSP Responder at the following location:

https:////ocsp

When configuring the OCSP service, specify an OCSP signing certificate for the discretionary entity in question. You can use the CA certificate itself as the signer. To avoid the unnecessary exposure of your CA private key (recommended): Create a delegate OCSP signing certificate, signed by the CA certificate, and include this extension:id-kp-OCSPSigning extendedKeyUsage.

支持基本XenMobile OCSP应答服务c OCSP responses and the following hashing algorithms in requests:

• SHA-1
• SHA-224
• SHA-256
• SHA-384
• SHA-512

Responses are signed with SHA-256 and the signing certificate key algorithm (DSA, RSA, or ECDSA).

Add discretionary CAs

1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then clickMore > PKI Entities.

2. On thePKI Entitiespage, clickAdd.

   A menu of PKI entity types appears.

3. ClickDiscretionary CA.

   TheDiscretionary CA: General Information页面出现。

4. On theDiscretionary CA: General Informationpage, do the following:

   • Name:Type a descriptive name for the discretionary CA.

   • CA certificate to sign certificate requests:Click a certificate for the discretionary CA to use to sign certificate requests.

     This list of certificates is generated from the CA certificates with private keys you uploaded at XenMobile atConfigure > Settings > Certificates.

5. ClickNext.

   TheDiscretionary CA: Parameters页面出现。

6. On theDiscretionary CA: Parameterspage, do the following:

   • Serial number generator:The discretionary CA generates serial numbers for the certificates it issues. From this list, clickSequentialorNon-sequentialto determine how the numbers are generated.
   • Next serial number:Type a value to determine the next number issued.
   • Certificate valid for:Type the number of days the certificate is valid.
   • Key usage:Identify the purpose of the certificates issued by the discretionary CA by setting the appropriate keys toOn. Once set, the CA is limited issuing certificates for those purposes.
   • Extended key usage:To add more parameters, clickAdd, type the key name and then clickSave.

7. ClickNext.

   TheDiscretionary CA: Distribution页面出现。

8. On theDiscretionary CA: Distributionpage, select a distribution mode:

   • Centralized: server-side key generation. Citrix recommends the centralized option. The private keys are generated and stored on the server and distributed to user devices.
   • Distributed: device-side key generation. The private keys are generated on the user devices. This distributed mode uses SCEP and requires an RA encryption certificate with thekeyUsage keyEncryptionextension and an RA signing certificate with thekeyUsage digitalSignature扩展。可以使用相同的证书both encryption and signing.

9. ClickNext.

   TheDiscretionary CA: Online Certificate Status Protocol (OCSP)页面出现。

   On theDiscretionary CA: Online Certificate Status Protocol (OCSP)page, do the following:

   • If you want to add anAuthorityInfoAccess(RFC2459) extension to the certificates signed by this CA, setEnable OCSP support for this CAtoOn. This extension points to the CA OCSP responder athttps:////ocsp.
   • If you enabled OCSP support, select an OSCP signing CA certificate. This list of certificates is generated from the CA certificates you uploaded to XenMobile.

10. ClickSave.

    The discretionary CA appears on the PKI Entities table.