Chapter 12. SSL Certificates

During the installation process, a self-signed SSL (Secure Socket Layer) certificate is generated for the XenServer host that is set to expire after 10 years. This is used for secure communications between the host and management tools, other XenServer hosts, or third-party software.

Reboot Required

If the default certificate for a XenServer host is going to be replaced or updated, it is recommended to reboot that XenServer host. Ensure that Guest VMs are halted or migrated to other hosts within a XenServer pool. Lastly, all administrators using XenCenter should expect, upon reconnecting to the XenServer host, a warning that there has been a change in the SSL Certificate/Trust. The administrator can accept this change to reestablish trust from from XenCenter to the host.

Apply a Commercial Certificate


A self-signed SSL certificate is not acceptable for your organization and a commercial one must be used.


XenServer supports the replacement of the default SSL certificate with a certified purchase through a trusted certificate authority (CA).


In the process of obtaining a signed certificate from a trusted authority, you will need to generate a CSR (certificate signing request). This is generated along with your private key and is a block of text containing encrypted information about your company, location, and contact information for an administrator of the host. The CSR also allows the certificate authority ...

Get XenServer Administration Handbook now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.