Jump to content
Welcome to our new Citrix community!
  • 1

Update XenMobile SSL listener certificate


Jeroen vanKeimpema

Question

7 answers to this question

Recommended Posts

  • 2

Hi there,

 

For the SSL Listener Cert for XenMobile, there is no need to keep the private key the same when it comes time to renew or replace the cert.

I have been meaning to update the article you have linked to but have not gotten around to it just yet.

 

As with any web server, the vendor of the SSL certificate can be changed if desired, as can the name on the cert itself (for example, swapping from a wildcard cert to a single name cert), or vice-versa).

Apple publishes a list of the public Root Certs it trusts at https://support.apple.com/en-us/HT208125 so you can confirm that your SSL vendor Root Cert is listed there.

What will not work for the SSL Listener is a certificate with an incorrect name, an invalid date or invalid key size.

 

Swapping the private key over for a new one when renewing the SSL listener cert will not cause any issue.

This is something that is done quite regularly in my lab environment (most recently only last week, swapping over from a self signed SSL listener certificate to a publicly trusted one).

 

Note that the APNs certificate must not be replaced but instead must be renewed (this is for Apple devices only) - this cert is one which should definitely not be allowed to expire as all Apple devices would need to re-enrol.

 

I hope this advice helps!

 

Thanks,

David

 

  • Like 2
Link to comment
  • 0
15 hours ago, Ryan Tsamouris said:

For cert renewals, the private key must be the same or mobile devices will not accept the connection. You would have to re-enroll every device. Either request the cert from the same Certificate Authority (if you use one internal to your company), or use the same server that generated the original CSR to create a new one using the same private key.

Hi Ryan, Thanks for the answer! I just went back to the website and it seems citrix changed it on March 31st. Is the requirement still relevant?

Link to comment
  • 0
On 4/3/2018 at 2:01 AM, David Egan1709157332 said:

Hi there,

 

For the SSL Listener Cert for XenMobile, there is no need to keep the private key the same when it comes time to renew or replace the cert.

I have been meaning to update the article you have linked to but have not gotten around to it just yet.

 

As with any web server, the vendor of the SSL certificate can be changed if desired, as can the name on the cert itself (for example, swapping from a wildcard cert to a single name cert), or vice-versa).

Apple publishes a list of the public Root Certs it trusts at https://support.apple.com/en-us/HT208125 so you can confirm that your SSL vendor Root Cert is listed there.

What will not work for the SSL Listener is a certificate with an incorrect name, an invalid date or invalid key size.

 

Swapping the private key over for a new one when renewing the SSL listener cert will not cause any issue.

This is something that is done quite regularly in my lab environment (most recently only last week, swapping over from a self signed SSL listener certificate to a publicly trusted one).

 

Note that the APNs certificate must not be replaced but instead must be renewed (this is for Apple devices only) - this cert is one which should definitely not be allowed to expire as all Apple devices would need to re-enrol.

 

I hope this advice helps!

 

Thanks,

David

 

 

HI David and Ryan,

 

I have to update the SSL LISTENER Cert on XenMobile server. Do the devices have to be re-enrolled? 

 

Thanks in advance

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...