Managing PCoIP Management Console Certificates

Important: The PCoIP Management Console is shipped with a default Teradici self-signed certificate. It is strongly recommended that you generate your own certificates signed by a recognized certificate authority (CA), and then update both your PCoIP Management Console and your endpoints with the certificates before configuring a discovery method or adding endpoints to your PCoIP Management Console.

Custom Certificate Requirements

The certificate loaded onto the PCoIP Management Console for use as the PCoIP Management Console web interface certificate and for endpoint management must meet the following requirements:

• It must be a x.509 certificate in PEM format. Three PEM files are needed to install the certificate into the PCoIP Management Console:
  • The first file contains only the PCoIP Management Console public certificate.
  • The second file contains only the PCoIP Management Console certificate’s private key.
  • The third file contains the PCoIP Management Console certificate’s issuing chain (intermediate CAs, if applicable, and root CA).
• The certificate must be valid, meaning that the current time is after the “not valid before” time and before the “not valid after” time.
• The PCoIP Management Console certificate’s RSA key must be 1024 bit or greater. The recommended length is 2048 bits.
• If the PCoIP Management Console certificate contains an Enhanced Key Usage extension, it must include the Server Authentication usage. It is also acceptable for the certificate to not include an Enhanced Key Usage extension.

SECURITY Page

The PCoIP Management Console’s SECURITY page displays information about the current certificate that the PCoIP Management Console is using. It lets you upload your own PCoIP Management Console certificates to the PCoIP Management Console. If you wish to revert to the default self-signed certificate, you can also do this from the SECURITY page. You can access this page by clicking SETTINGS from the PCoIP Management Console’s top menu, then clicking the SECURITY menu in the left pane.

Note: Click the ? beside each field for help with any of the settings.

Figure 6-4: SECURITY Page

Uploading Your Own PCoIP Management Console Certificates

The PCoIP Management Console requires the following certificates:

Note: All PCoIP Management Console certificates must be issued in PEM format.

• MC server’s certificate (*.pem): Contains the public key. The PCoIP Management Console’s public key certificate fingerprint is also used for DHCP/DNS endpoint discovery.
• MC server’s private key certificate (*.key): Contains the private key.
• MC chain certificate (*.pem): Contains the root certificate and any intermediate certificates used to issue PCoIP Management Console server certificates.

This section explains how to upload your own certificates to the PCoIP Management Console and to endpoints that require an PCoIP Management Console certificate before discovery. If you wish to avoid browser certificate warnings when you access the PCoIP Management Console’s web interface, you can also install the PCoIP Management Console certificate in your browser.

Important: If you are installing your own PCoIP Management Console certificates before you have added endpoints to the PCoIP Management Console, please follow the instructions in the order shown below. If you need to update your PCoIP Management Console certificates for any reason after the PCoIP Management Console has already discovered your endpoints, the order of this procedure is slightly different. See Updating PCoIP Management Console Certificates after Endpoint Discovery for details.

Step 1: Upload Your PCoIP Management Console Certificates to the PCoIP Management Console

Note: Uploading a certificate disables all PCoIP Management Console users and causes the PCoIP Management Console application to restart. Users will not be able to access the PCoIP Management Console for one to two minutes.

1. From the PCoIP Management Console’s top menu, click SETTINGS.
2. Click SECURITY in the left pane.
3. Click UPDATE.
4. Click SELECT CERTIFICATE, select the PCoIP Management Console’s public key certificate file (*.pem), and then click NEXT.
   
   
   
   
5. Click SELECT KEY, select the PCoIP Management Console’s private key certificate file (*.key), and then click NEXT.
   
   
   
   
6. Click SELECT CHAIN, select the PCoIP Management Console’s chain certificate file (*.pem), and then click NEXT.
   
   
   
   
7. Click Apply.
8. Read the warning message and then click APPLY.
   
   
   
   
9. When the update process completes, click LOGIN to log in to the PCoIP Management Console again.

Step 2: Update Your DHCP/DNS Server with the PCoIP Management Console Server’s Public Key Certificate Fingerprint

If your DHCP or DNS server is configured to provision endpoints with the PCoIP Management Console’s public key certificate fingerprint, this information must be updated next. You can update your server with your PCoIP Management Console certificate fingerprint as follows:

• DHCP server: Edit the EBM X.509 SHA-256 fingerprint option for the PCoIP Endpoint option class. For details, see Configuring DHCP Options.
• DNS server: Edit the EBM-SHA-256-fingerprint DNS text record. For details, see Adding an Optional DNS TXT Record.

Step 3: Upload an PCoIP Management Console Certificate to Your Endpoints

If your endpoints are configured with a discovery method and security level that require them to have an PCoIP Management Console certificate in their trusted certificate store before they can connect to the PCoIP Management Console, you can either upload the PCoIP Management Console certificate for a group of endpoints using an PCoIP Management Console 1 profile, or you can upload the PCoIP Management Console certificate locally using each endpoint’s AWI. Depending on your security requirements, you can upload either an PCoIP Management Console issuer certificate (i.e., the root CA certificate (or intermediate certificate) that was used to issue an PCoIP Management Console server certificate) or you can upload the PCoIP Management Console server’s public key certificate.

Installing the PCoIP Management Console Certificate in Your Browser

If you wish to avoid browser certificate warnings when you access the PCoIP Management Console’s web interface, you can install an PCoIP Management Console certificate in your browser. You can use either an PCoIP Management Console issuer certificate or the PCoIP Management Console server’s public key certificate.

Installing the PCoIP Management Console Certificate in Internet Explorer

1. Right-click the certificate file (*.pem), and then select Install Certificate.
2. When the Certificate Import Wizard appears, click Next.
3. Select Automatically select the certificate store based on the type of certificate. Click Next.
4. Click Finish to complete the import. The certificate is now added the Windows Trusted Root Certification Authorities certificate store.
5. Restart Internet Explorer so that it rescans the Windows certificate store.

Installing the PCoIP Management ConsoleCertificate in Firefox

1. From the Tools menu, select Options.
2. Click Advanced at the top of the window.
3. From the Encryption tab, click View Certificates.
4. From the Authorities tab, click Import.
5. From the Select File dialog, select the certificate file (*.pem).
6. From the Downloading Certificate dialog, select the Trust this CA to identify web sites checkbox, and then click OK. The certificate will appear in the list on the Authorities tab.

Note: In Firefox you can also disable the certificate warnings by adding an exemption for the PCoIP Management Console. To do this, click I Understand the Risks on the This Connection is Untrusted warning page and follow the directions.

Installing the PCoIP Management ConsoleCertificate in Google Chrome

1. Click the Chrome menu on the browser toolbar.
2. Select Settings.
3. At the bottom of the page, click the Show advanced settings link.
4. In the HTTPS/SSL section, click Manage certificates.
5. Select the Trusted Root Certification Authorities tab.
6. Click Import.
7. Click Next at the first Certificate Import Wizard screen.
8. Browse to the certificate location, select the certificate file (*.pem), and then click Next.
9. Click Finish.
10. If another security warning dialog displays, click Yes.

Reverting to the Default Self-signed PCoIP Management Console Certificate

Note: Reverting the PCoIP Management Console to its self-signed certificate disables all PCoIP Management Console users and causes the PCoIP Management Console application to restart. Users will not be able to access the PCoIP Management Console for one to two minutes.

1. From the PCoIP Management Console’s top menu, click SETTINGS.
2. Click SECURITY in the left pane.
3. Click REVERT SELF-SIGNED CERTIFICATE.
4. Read the warning message and then click APPLY.
   
   
   
   
5. When the update process completes, click LOGIN to log in to the PCoIP Management Console again.

© 2016 Teradici Corporation. All rights reserved. Intellectual Property Rights.
TER1401005 Issue 9, Version 2.2, 10 August 2016.