Citrix Systems 5.6 manual Pool-certificate-list, Pool-certificate-install, Pool-certificate-sync

pool-certificate-list

XenServer’s Workload Balancing component lets you use certificates to secure communication between XenServer pools and the Workload Balancing server. You can either use the default certificate, which is created automatically during Workload Balancing installation, or you can specify a certificate you have already created.

To use your own certificate, the certificate must be in X.509 format. If you want to import the certificate into XenServer's certificate store, during Workload Balancing installation you must specify for WLB to use an existing certificate and export it. Currently, you must do this installing WLB with the Msiexec commands.

However, following installation you need to export the certificate again. When you export the certificate from Workload Balancing, Workload Balancing exports it in Base64 encoded format. You must convert the exported certificate into a Privacy Enhanced Mail (PEM) file or a .crt format by exporting it from Windows using Windows certificate management features so that XenServer can import it.

Note:

To convert the exported certificate into a PEM (.pem) file, copy it to your XenServer pool master and run the following commands:

openssl enc -base64-in<exported_cert_name.crt> -out<certificate.pem>

After converting the certificate into .pem or .crt, you must load the certificate onto servers across the pool by doing the following:

1.List any existing certificates on the pool (using xe pool-certificate-list).

2.Install the certificate you specified during WLB installation (using pool-certificate-install).

3.Synchronize the certificate on all hosts in the pool (using pool-certificate-sync).

4.(Optional.) Instruct XenServer to require a certificate before connecting (using pool-certificate-sync).

pool-certificate-list

Lists all installed SSL certificates.

pool-certificate-install

pool-certificate-install filename=<certificatefilename>

Run this command on the pool to install the certificate you specified during WLB installation on the pool master. Before installing the certificate on the master, it must be exported in either .pem or .crt format. If you are exporting the certificate using Windows certificate management features, select the Base 64 encoded X.509 format.

Typically, when you installed WLB, you may have named the certificate something like wlbcert.cer. Simply renaming the file wlbcert.crt is not sufficient. You must export the certificate so the file formats is converted into a format XenServer is expecting to receive.

pool-certificate-sync

pool-certificate-install

Run this command on the pool, after running the pool-certificate-install command, to make sure the certificate and certificate revocation lists are synchronized from the pool master to all slaves on the pool.

211