Maps device policy. Maximum resident users device policy. MDM options device policy. Network device policy. Network usage device policy. Office device policy. Organization information device policy. OS update device policy. Passcode device policy. Passcode lock grace period device policy. Personal hotspot device policy. Power management device policy. Profile removal device policy. Provisioning profile device policy. Provisioning profile removal device policy. Proxy device policy. Public session device policy.
Restrictions device policy. Roaming device policy. Samsung MDM license key device policy. SCEP device policy. Siri and dictation policies. SSO account device policy. Storage encryption device policy. Store device policy.
Subscribed calendars device policy. Terms and conditions device policy. Tunnel device policy. VPN device policy. Wallpaper device policy. Web content filter device policy.
Web clip device policy. Windows Agent device policy. Windows GPO configuration device policy. Windows Hello for Business device policy. Windows Information Protection device policy. Add apps. App connector types. Citrix Launcher. Add apps using Apple volume purchase.
SmartAccess for HDX apps. Upgrade MDX or enterprise apps. Add media. Deploy resources. Automated actions. Monitor and support. Connectivity checks. Mobile Service Provider. Endpoint Management Analyzer. Restrict email access. ActiveSync Gateway. Endpoint Management connector for Exchange ActiveSync. Citrix Gateway connector for Exchange ActiveSync.
Advanced concepts. Endpoint Management deployment. Management modes. Device requirements. Security and user experience. User communities. Email strategy. Endpoint Management integration. Server properties.
Device and app policies. Client properties. User enrollment options. App provisioning and deprovisioning. Dashboard-based operations. Citrix support process. Sending group enrollment invitations in Endpoint Management.
Configuring an on-premises Device Health Attestation server. Document History. Aviso legal. Este texto foi traduzido automaticamente. Este artigo foi traduzido automaticamente. We recommend that you list the certificates needed for your Endpoint Management deployment. Use the list to track the certificate expiration dates and passwords. This article helps you administer certificates throughout their lifespan.
Each certificate you upload has an entry in the Certificates table, including a summary of its contents. When you configure PKI integration components that require a certificate, choose a server certificate to satisfy the criteria. For example, you might want to configure Endpoint Management to integrate with your Microsoft certificate authority CA.
The connection to the Microsoft CA must be authenticated by using a client certificate. Endpoint Management might not possess the private key for a given certificate. Likewise, Endpoint Management might not require a private key for uploaded certificates. This section provides general procedures for uploading certificates. For details about creating, uploading, and configuring client certificates, see Client certificate or certificate plus domain authentication.
You can upload the CA certificate without the private key that the CA uses to sign requests. You can also upload an SSL client certificate with the private key for client authentication.
You select the CA certificate from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which Endpoint Management has the private key. A keystore is a repository of security certificates. By design, keystores can contain multiple entries. They are active after a new valid certificate is bound to them. To reduce downtime, you can use the update feature to replace a certificate-key pair that is bound to an SSL virtual server or an SSL service.
Video link to How do I update an existing certificate. At the command prompt, type the following commands to update an existing certificate-key pair and verify the configuration:. Select the certificate that you want to update, and click Update. Select Update the certificate and key. If you upload a certificate pem file, you must also upload a certificate key file. If the key is encrypted, you must specify the encryption password. If the common name of the new certificate does not match the old certificate, then select No Domain Check.
Click OK. All the SSL virtual servers to which this certificate is bound are automatically updated. After replacing the certificate, you might have to update the certificate link to a new intermediate certificate. For more information about updating an intermediate certificate without breaking the links, see Update an intermediate certificate without breaking the links.
Right-click the updated certificate, and click Cert Links , to see if it is linked to an intermediate certificate. If the certificate is not linked, then right-click the updated certificate, and click Link to link it to an intermediate certificate.
The steps to update an existing CA certificate are the same as updating an existing server certificate. The only difference is that you do not need a key in the case of CA certificates. When an SSL certificate is replaced on the appliance, the domain name mentioned on the new certificate must match the domain name of the certificate being replaced. For example, if you have a certificate issued to abc.
However, if you want the server that has been hosting a particular domain to host a new domain, disable the domain check before updating its certificate. At the command prompt, type the following commands to disable the domain check and verify the configuration:. The following procedure assumes that the default certificate ns-server-certificate is bound to the internal services.
An SSL certificate is valid for a specific period. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. If you want to create SNMP alerts for certificate expiration, you must configure them separately.
At the command prompt, type the following commands to enable an expiry monitor for a certificate and verify the configuration:. You can now update an intermediate certificate without breaking any existing links. You can update any number of certificates in the link, one at a time, if the preceding condition is met.
Previously, the links broke if an intermediate certificate was updated. If the common name in a certificate changes, while updating the certificate specify nodomaincheck. A certificate contains the name of the issuing authority and the subject to whom the certificate is issued. To validate a certificate, you must look at the issuer of that certificate and confirm if you trust the issuer. If you do not trust the issuer, you must see who issued the issuer certificate.
Go up the chain until you reach the root CA certificate or an issuer that you trust. As part of the SSL handshake, when a client requests a certificate, the appliance presents a certificate and the chain of issuer certificates present on the appliance.
An administrator can view the certificate chain for the certificates present on the appliance and install any missing certificates. There are 3 certificates: c1, c2, and c3.
Certificate c3 is the root CA certificate and signs c2, and c2 signs c1. The following examples illustrate the output of the show ssl certchain c1 command in different scenarios. If you run the following command, the certificate links up to the root CA certificate are displayed.
If you run the following command, the information that certificate c3 is a root CA certificate but is not linked to c2 is displayed.
If you run the following command, information about all the certificates starting with the issuer of certificate c1 is displayed. It is also specified that the certificates are not linked. If you run the following command, information about the certificate linked to c1 is displayed. You are prompted to add a certificate with the subject name specified in c2. In this case, the user is asked to add the root CA certificate c3. A certificate is not linked to certificate c1 and the issuer certificate of c1 is not present on the appliance.
If you run the following command, you are prompted to add a certificate with the subject name in certificate c1. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
Citrix ADC. Current Release Current Release Click Finish. Now that you have imported your server certificate and chain, you must assign the certificate using the Secure Gateway Configuration Wizard.
Click OK to confirm the product you want to secure. Select the Standard option and click Next. Select the certificate from the list display in the Configuration wizard. The certificate that was installed using IIS should appear in the list. Click Next. On the following screen, use the default option No outbound traffic restriction unless you need to configure the other advanced options and click Next. Do not dial an extra "1" before the "" or your call will not be accepted as an UITF toll free call.
Yes No. Chat with Entrust. It looks like our HSM agents are not available right now. Would you like us to contact you? We look forward to talking with you.
0コメント