Adding your own certificate to the XenClient Synchronizer

The Synchronizer for XenClient comes with its own certificate.  However most final installations will want to have their organization’s signed certificate so it is trusted automatically.  My lab environment is very simple.  There is a root CA and no intermediate CAs.  There will be differences in a properly designed environment with intermediate CAs that might change a few steps.

First, it is probably easier to work with the synchronizer using ssh and not the XenCenter console.  Generate some keys and start ssh.

  1. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  2. ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
  3. /etc/init.d/ssh start

Note that this is not setting ssh to start automatically.  If you restart the synchronizer you will need to start ssh again.

Create the certificate requests on the synchronizer.

  1. openssl genrsa -out <key file> 2048
  2. openssl req -new -key <key file> -out <cert request file>

Transfer the certificate request file to your CA and issue a certificate.  Transfer the certificate back to the synchronizer.  Since you have ssh currently running you can use SFTP for this.  If you do not have an SFTP client, I would recommend FileZilla.

The certificate files are specified in /xt/config/xcbe-apache2.conf.  You will need to change the following three lines to point to your key and certificate files.

SSLCertificateFile <path to cert issued for synchronizer>
SSLCertificateKeyFile <path to key generated on the synchronizer>
SSLCertificateChainFile <path to root CA>

The third line actually reads “SSLCACertificateFile” by default, but would not work for me using the root CA certificate.  Please look into those directives to see what you need specifically.  Once apache is restarted browse to the synchronizer’s web interface and you should now be trusting the certificate.

Update: Further testing has shown that changing the certificate causes issues with a client connecting to the synchronizer to upload/download images.  I am continuing to look at what more is needed.


  1. Make sure the machine browsing to the synchronizer’s web interface first trusts the issuing CA.
  2. If you cannot reach the web interface, make sure apache is running.  /etc/init.d/apache2 status
  3. To check for errors with apache starting look at the logs in /var/log/xcbe.

About Adam Oliver

Adam Oliver has been working in the IT field for over 10 years and is a Sales Engineer for Citrix Systems, Inc. Follow Adam on twitter at Find out more about Citrix at
This entry was posted in XenClient and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *