This article describes how to create a certificate using OpenSSL in combination with a Windows Certificate Authority and transfer the certificate to a XenServer ...


This article describes how to create a certificate using OpenSSL in combination with a Windows Certificate Authority and transfer the certificate to a XenServer host.

To enable trusted SSL communication for XenServer management through XenCenter, XenDesktop, or any other product, a trusted certificate is required on the XenServer host. This method is similar to CTX128617 - How to Use IIS to Acquire SSL Certificates for XenServer, except OpenSSL is used to generate the certificate requests.

This method can be scripted to easily replace certificates after expiration, and also gives the ability to store the certificate key pair. Should a XenServer require rebuilding, there is no need to repeat the request process. Simply upload the archived key pair to the server.
The following steps simulate creating a certificate for a XenServer named “xenserver1” in the domain “domain.com”. The Certificate Authority is named CA1 on server DOMAINCA. The password used for the private key pair is “citrixpass”.


Following are the requirements:

Complete the following procedure:

  1. Install OpenSSL on a workstation or server. Ensure that the user performing the certificate request has adequate permissions to request and issue certificates.

  2. Create the certificate request and private key:
    openssl req -newkey rsa:2048 -keyout xenserver1prvkey.pem -nodes -out xenserver1.req -subj /CN=xenserver1.domain.com/O=Organization/C=US/ST=GA/L=Atlanta
    For more specifics on creating the request, refer to OpenSSL req commands. Adjust Common name, Organization, Country, State, and Location to reflect your information. If spaces exist in your information, use quotes to enclose the -subj arguments.

  3. Submit the request to Windows Certificate Authority using CertReq:
    certreq -submit -binary -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 xenserver1.req xenserver1.cer
    Windows Certificate Authorities only export certificates in Base64 or Binary encoding. Base64 is the default, so binary encoding requires the extra switch -binary.
    For full CertReq syntax, refer to CertReq Command Line Reference

  4. Convert the issued certificate to PEM format:
    openssl x509 -inform der -in xenserver1.cer -out xenserver1.pem

  5. Merge the issued certificate and private key into Pkcs12 format.
    openssl pkcs12 -export -inkey xenserver1prvkey.pem -in xenserver1.pem -out xenserver1.pfx -passout pass:citrixpass

  6. Convert the Pkcs12 key pair into a PEM keypair for importing into XenServer.
    openssl pkcs12 -in xenserver1.pfx -out xenserver1keypair.pem -nodes -password pass:citrixpass

  7. Transfer the key pair to XenServer. To get this file on to XenServer, this procedure uses WinSCP. A portable version is available for download here:

  8. Open WinSCP and start a session to your XenServer:
    User-added image

  9. Browse to /etc/xensource/ in the right pane and the location with your PEM certificate in the left pane:
    User-added image

  10. Xapi-ssl.pem is the certificate currently in use on your XenServer. Rename this file to?? “xapi-ssl.pem.original”.
    User-added image

  11. To copy your new certificate, drag your PEM certificate from the left pane into the right pane. The following screen shot prompts for verification.
    User-added image

  12. Rename the copied PEM file to “xapi-ssl.pem”.
    User-added image

  13. For security, modify the properties of the file to Read Only as shown:
    User-added image

  14. From the XenServer console, issue a restart command for the xapissl service:
    User-added image

  15. Browse to your XenServer over https to verify your certificate is installed properly:
    User-added image

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support