Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)1223 359900
E: sales@precedence.co.uk
XenServer-CAcert

Wiki Home

Tools

Jump To: Support > KB > Citrix > XenServer > CAcert

Adding a new trusted CA root

XenServer will check the validity of the certificate presented by your licence server. If it is not trusted, it will be rejected. If you have your own CA and install a certificate signed by that CA on your licence server, it may be rejected particularly if the licence server was previously being used with the default self-signed cert (i.e. the certificate has changed). You may see reference to the error UNKNOWN_SERVER_CERTIFICATE.

You can test whether the last communication was OK:
# xe pool-param-get uuid=$(xe pool-list --minimal) param-name=license-server param-key=certificate_check_result
OK
If not OK, the last certificate seen (but rejected) can be viewed with:
xe pool-param-get uuid=$(xe pool-list --minimal) param-name=license-server param-key=last_seen_certificate
You can request it is trusted next time with:
trust=`xe pool-param-get uuid=$(xe pool-list --minimal) param-name=license-server param-key=last_seen_certificate`
xe pool-param-set uuid=$(xe pool-list --minimal) license-server:trusted_on_first_use="$trusted"

For more details, see the XenServer docs here.

If you wish to explicitly trust your local CA (for instance, if the server needs to connect via an intercepting proxy), you can test and install as follows:

You can check whether the certificate is trusted by connecting with openssl s_client which will return the server's certificate and passing this to openssl verify.

This example is self-signed:
# echo | openssl s_client -connect server.internal:8083 2>/dev/null | openssl verify
C = GB, ST = Cambridgeshire, L = Cambridge, O = Precedence Technologies Ltd, CN = server.internal
error 18 at 0 depth lookup: self-signed certificate
error stdin: verification failed
This example is signed, but not from a trusted CA:
# echo | openssl s_client -connect server.internal:8083 2>/dev/null | openssl verify
C = GB, ST = Cambridgeshire, O = Precedence Technologies Ltd, CN = server.internal
error 20 at 0 depth lookup: unable to get local issuer certificate
error stdin: verification failed
You can get the CA that issued the cert with openssl x509:
# echo | openssl s_client -connect server.internal:8083 2>/dev/null | openssl x509 -noout -issuer
issuer=C = GB, ST = Cambridgeshire, L = Cambridge, O = Precedence Technologies Ltd, CN = Local Test CA
To trust your CA, copy its certificate to the directory /etc/pki/ca-trust/source/anchors and then run the update-ca-trust command. Re-running openssl verify should now show it is trusted:
# echo | openssl s_client -connect server.internal:8083 2>/dev/null | openssl verify
stdin: OK
© Copyright Precedence Technologies 1999-2025
Page last modified on April 29, 2026, at 12:18 PM by sborrill