Install a TLS certificate on your server

The XenServer host comes installed with a default TLS certificate. However, to use HTTPS to secure communication between XenServer and Citrix Virtual Apps and Desktops, install a certificate provided by a trusted certificate authority.

This article contains information about how to use certificates in XenCenter. For information about working with certificates by using the xe CLI, see Hosts and resource pools.


Ensure that your TLS certificate and its private key meet the following requirements:

  • The certificate and key pair are an RSA key
  • The key matches the certificate
  • The key is provided in a separate file to the certificate
  • The certificate is provided in a separate file to any intermediate certificates
  • The key file must be one of the following types: .pem or .key
  • Any certificate files must be one of the following types: .pem, .cer, or .crt
  • The key is greater than or equal to 2,048 bits and less than or equal to 4,096 bits in length
  • The key is an unencrypted PKCS #8 key and does not have a passkey
  • The key and certificate are in base-64 encoded ‘PEM’ format
  • The certificate is valid and has not expired
  • The signature algorithm is SHA-2 (SHA256)

XenCenter warns you when the certificate and key you choose do not meet these requirements.

Install a certificate

You can use XenCenter to install a certificate that is on the XenCenter system into a XenServer host.

To install a certificate on a XenServer host, you must have the Pool Admin role and the XenServer host must not have HA enabled.

  1. Go to the Install Certificates dialog. You can get to this dialog in one of the following ways:

    • In the Server menu, select Install Certificates.
    • Right-click on the host in the resources pane and choose Install Certificates from the context menu.
    • In the General tab of the host, right-click on the Certificates section and choose Install Certificates from the context menu.
  2. In the Install Certificates dialog, browse to the location of the private key file and select it.
  3. Browse to the location of the server certificate file and select it.
  4. You can choose to add any number of intermediate certificates from the certificate chain.

    1. Click Add
    2. Browse to the location of one or more intermediate certificates and select them.
  5. Click Install.

    XenCenter validates and installs the certificates.

    • If there is a problem with a certificate, XenCenter shows an error message. Attempt to correct the problem and click Install again.
    • If the certificate is installed successfully, XenCenter shows a success message. You can now click Close to close the dialog.

When the certificate on a XenServer host is changed, the host closes any open connections. XenCenter expects this behavior and reopens the connection with the XenServer host. However, you might have to manually reopen any other connections that were previously open to the host - for example, from another API client or the remote xe CLI.

View certificate information

In the General tab for a XenServer host, a section called Certificates displays the following information for the host:

  • The certificate validity period. This text appears red when the certificate is approaching its expiry date.
  • The certificate thumbprint

The General tab for a XenServer pool displays the following information for the pool:

  • The General section has an entry for Certificate Verification which shows whether certificate verification is enabled or disabled.
  • The Certificates section lists the name, validity, and thumbprint for the CA certificates.

Enabling certificate verification for your pool

Certificate verification is enabled by default on fresh installations of XenServer 8 and later. For more information, see Certificate verification.

If you upgrade from an earlier version of XenServer, certificate verification is not enabled automatically and you must enable it. XenCenter prompts you to enable certificate verification the next time you connect to the upgraded pool.

Before enabling certificate verification on a pool, ensure that no operations are running in the pool.

XenCenter provides several ways to enable certificate verification.

  • When first connecting the XenCenter to a pool without certificate verification enabled, you are prompted to enable it. Click Yes, Enable certificate verification.
  • In the Pool menu, select Enable Certificate Verification.
  • On the General tab of the pool, right-click the entry Certificate Verification and choose Enable Certificate Verification from the menu.

Reset server identity certificates

You can reset the server identity certificate from XenCenter or the xe CLI. Resetting a certificate deletes the certificate from the host and installs a new self-signed certificate in its place.

To reset a certificate in XenCenter:

  1. Go to the General tab for the host.
  2. In the Certificates section, right-click on the certificate you want to reset.
  3. From the menu, select Reset Certificate.
  4. In the dialog that appears, click Yes to confirm the certificate reset.

Alternatively, in the Server menu, you can go to Certificate > Reset Certificate.

When you reset a certificate, any existing connections to the XenServer host are disconnected — including the connection between XenCenter and the host.

For information about resetting a certificate by using the xe CLI, see Certificate verification.

Certificate alerts

When your certificates are nearing their expiry date, XenCenter shows alerts in the Alerts section of the Notifications tab. You can choose to open the Install Certificates dialog from the action menu of these alerts.

For more information about alerts, see XenCenter Alerts.

Install a TLS certificate on your server