XenServer

Certificate verification

When certificate verification is enabled for a pool, all TLS communication endpoints on its management network use certificates to validate the identity of their peers before transmitting confidential information.

Behavior

Connections initiated by a XenServer host on the management network require the destination endpoint to provide a TLS certificate to verify its identity. This requirement affects the following items that are part of the pool or interact with the pool:

  • Hosts in the pool
  • XenCenter
  • Third-party clients that use the API

Certificate verification is compatible with both the self-signed certificates provided by XenServer and user-installed certificates signed by a trusted authority. For more information, see Install a TLS certificate on your host.

Each XenServer host in a pool has two certificates that identify it:

  • Pool-internal identity certificates are used to secure communications between hosts within the pool. For communication within the pool, XenServer always uses self-signed certificates.

  • Server identity certificates are used to verify the identity of a XenServer host to any client applications that communicate with the pool on the management network. For communication between the host and a client application, you can use self-signed certificates or you can install your own TLS certificates on your hosts.

When a host first joins the pool or a client first makes a connection to the pool, the pool trusts the connection. During this first connection, certificates are exchanged between the pool and the joining host or the connecting client. For all subsequent communications by this host or client on the management network, the certificates are used to verify the identity of the parties involved in the communication.

We recommend that you enable certificate verification on all your hosts and pools. For a XenServer host to successfully join a pool, both the host and the pool must have certificate verification either enabled or disabled. If certificate verification is enabled on one and not the other, the join operation is not successful. XenCenter provides a warning message that advises you to enable certificate verification on the pool or on the joining host.

When a host leaves a pool with certificate verification enabled, both the host and the pool delete the certificates that relate to the other.

The Workload Balancing virtual appliance can be used with certificate verification. You must ensure that the Workload Balancing self-signed certificates are installed into your XenServer host.

The XenServer Conversion Manager virtual appliance does not connect to XenServer hosts and so is exempt from the certification checking requirement when it acts as a TLS client end point.

Enabling certificate verification for your pool

Certificate verification is enabled by default on fresh installations of XenServer 8 and later. If you upgrade from an earlier version of XenServer or Citrix Hypervisor, certificate verification is not enabled automatically and you must enable it. XenCenter prompts you to enable certificate verification the next time you connect to the upgraded pool.

Before enabling certificate verification on a pool, ensure that no operations are running in the pool.

Enable by using XenCenter

XenCenter provides several ways to enable certificate verification.

  • When first connecting XenCenter to a pool without certificate verification enabled, you are prompted to enable it. Click Yes, Enable certificate verification.

  • In the Pool menu, select Enable Certificate Verification.

  • On the General tab of the pool, right-click the entry Certificate Verification and choose Enable Certificate Verification from the menu.

Enable by using the xe CLI

To enable certificate verification for a pool, run the following command in the console of a host in the pool:

xe pool-enable-tls-verification

Managing certificates

You can install, view information about, and reset the certificates that are used to verify the identity of a host.

Installing certificates

You can install your own TLS certificate for the host to present as its identity certificate when receiving connections from client applications on the management network.

For more information, see Install a TLS certificate on your host.

Viewing certificate information

To find out whether a pool has certificate verification enabled:

  • In XenCenter, look in the General tab for the pool. The General section has an entry for Certificate Verification which shows whether certificate verification is enabled or disabled. This tab also contains a Certificates section that lists the name, validity, and thumbprint for the CA certificates.

  • With the xe CLI, you can run the following command:

     xe pool-param-get uuid=<pool_uuid> param-name=tls-verification-enabled
    

    If certificate verification is enabled, the line tls-verification-enabled ( RO): true appears in the command output.

To view information about the certificates on a XenServer host:

  • In XenCenter, go to the General tab for that host. The Certificates section shows the thumbprint and the validity dates for the server identity certificate and the pool-internal identity certificate.

  • With the xe CLI, you can run the following command:

     xe certificate-list
    

Refreshing pool-internal identity certificates

You can refresh the pool-internal identity certificate by using the xe CLI:

  1. Find the UUID of the host whose certificate you want to reset by running the following command:

    xe host-list
    
  2. To reset the certificate, run the following command:

    xe host-refresh-server-certificate host=<host_uuid>
    

    Note:

    Any host selector parameter can be used with this command to indicate the host to reset the certificate on.

Resetting server identity certificates

You can reset the server identity certificate from XenCenter or the xe CLI. Resetting a certificate deletes the certificate from the host and installs a new self-signed certificate in its place.

To reset a certificate in XenCenter:

  1. Go to the General tab for the host.
  2. In the Certificates section, right-click on the certificate you want to reset.
  3. From the menu, select Reset Certificate.
  4. In the dialog that appears, click Yes to confirm the certificate reset.

Alternatively, in the Server menu, you can go to Certificates > Reset Certificate.

When you reset a certificate, any existing connections to the XenServer host are disconnected — including the connection between XenCenter and the host. XenCenter reconnects automatically to the host after a certificate reset.

To reset a certificate by using the xe CLI:

  1. Find the UUID of the host whose certificate you want to reset by running the following command:

    xe host-list
    
  2. To reset the certificate, run the following command:

    xe host-reset-server-certificate host=<host_uuid>
    

    Note:

    Any host selector parameter can be used with this command to indicate the XenServer host to reset the certificate on.

When you reset a certificate, any existing connections to the XenServer host are disconnected — including the connection between XenCenter and the host. XenCenter reconnects automatically to the host after a certificate reset.

Expiry alerts

XenCenter shows alerts in the Notifications view when your server identity certificates, pool-internal identity certificates, or pool CA certificates are close to their expiry date.

Temporarily disabling certificate verification

We do not recommend that you disable certificate verification after it has been enabled on a host or pool. However, XenServer provides commands that can be used to disable certificate verification on a per host basis when troubleshooting problems with certificates.

To temporarily disable certificate verification, run the following command on the host console:

xe host-emergency-disable-tls-verification

XenCenter shows an alert in the Notifications view when certificate verification is disabled on a host in a pool where the feature is enabled.

After you have resolved any issues with certificates on the host, ensure that you enable certificate verification on it again. To enable certificate verification again, run the following command on the host console:

xe host-emergency-reenable-tls-verification
Certificate verification