MobileIron – replace SSL certificate
Something completely different: changing the SSL certificate on MobileIron Core and Sentry. In total, I had to replace 5 certificates. 4 certificates are replaced via the Core web interface and 1 certificate needs to be replaced via the Sentry web interface.
Within the Core web interface you have to change the certificated in two separate interfaces.
1. Login to the Core web interface and choose Services >> Sentry
2. Choose the icon (person’s head) in the upper right corner >> System Manager. Log in to the System Manager website and choose Security >> Certificate Mgmt
Log in to the Sentry web interface and choose Security >> Certificate Mgmt
The process of replacing the certificate is the same for all 5 certificates. You only need to be careful to upload the correct certificates. In my situation, users are connecting to two different FQDNs. One FQDN is pointing to the Core and is used to sign in to MobileIron and register a device. The second FQDN points to Sentry and is used for client connections from the mobile device, like Outlook Sync or Web@Work. I upload the certificate with the Sentry FQDN to the Sentry option on the Core web interface and within the Sentry web interface and I upload the Core certificate within the Core System Manager web interface.
I am using a certificate based on a full FQDN, so no wildcard certificate. The certificate’s certificate path contains two intermediate certificates and one root certificate. In total I have 5 different files:
- a signed certificate from the CA
- the private key
- the first intermediate certificate
- the second intermediate certificate
- the root certificate
I upload all certificates separately when choosing Manage Certificate like shown in the image.
Hit Upload Certificate when you choose all the necessary files. MobileIron starts uploading the certificates, is “smart” enough to combine all certificates, replaces the certificate for the specific service and restarts the service. This could result in a short interruption of production. After this, the SSL certificate is successfully replaced.
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
I want to know do we need to replace/renew the ssl cert on the server if the servers are in HA like core in primary and secondary do we need to update the same ssl cert on both server or if do a primary ssl update it automatically update the secondary.
I am not sure, because I have never changed the cert on a cluster. Only on a standalone appliance
It is quite interesting blog post worth of reading. I really thankful for giving an opportunity to read an informative article like this! I really appreciate this post thank you for sharing these type of posts.
In Services=>Sentry on the Admin Portal, the SSL cert will soon expire, and the other two entries (Digicert HA server CA and Root CA) not anytime soon. We will purchase a new SSL cert, but just to verify a couple of things:
1. If your SSL cert for Sentry expires, it is just a an issue of activesync traffic halting to devices, or the devices will need to be re-enrolled/etc?
2. To renew the cert (upload of new cert), we need to upload the new cert on both the sentry and core devices, and not through the admin portal page?
3. Sentry service would need to be manually restarted, or Sentry bounced, after cert upload?