Skip to content

Security Certificates in PCoIP Agents

PCoIP requires a certificate to establish a session. By default, PCoIP agents generate a self-signed certificate that secures the PCoIP session. Each component in the PCoIP system can generate these self-signed certificates, which will automatically work together without requiring any configuration.

You can, if needed, create and deploy your own custom certificates instead of relying on Teradici's self-signed certificates. This section explains how to create and implement custom certificates.

Using Custom Security Certificates

You can use OpenSSL, Microsoft Certification Authority, or a public certificate authority (CA) of your choice to create your certificates. If you are not using OpenSSL, consult your certificate authority's documentation for instructions on creating certificates in a Windows Certificate Store-compatible format.

The procedures is this section use OpenSSL to generate certificates that will satisfy most security scanner tools when the root signing certificate is known to them.

Caution: Certificates are stored in the Windows Certificate Store

Certificates are stored in the Windows certificate store. If you have old certificates that are stored on the host, they should be deleted to avoid conflicts or confusion.

Custom Certificate Guidelines

If you choose to use your own certificates, follow these general guidelines:

  • Save your root CA signing certificate in a safe place for deployment to clients.

  • Back up private and public keys to secure locations.

  • Never store files created when generating keys or certificates on network drives without password protection.

  • Once certificates have been deployed to the Windows certificate store, the files they came from are no longer needed and can be deleted.

  • Standard automatic tools, such as Automatic Certificate Enrollment and Group Policy, can be used for deploying automatically generated certificates. Both Automatic Certificate Enrollment and Group Policies are implemented through Active Directory. See MSDN Active Directory documentation for more information.

Pre-session Encryption Algorithms

Connections are negotiated using the following supported RSA cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Note: Minimum SSL version

These Max Compatibility security level cipher suites have a minimum required SSL version of TLS 1.2.

Custom Security Certificates

In order for a CA signed certificate to be loadable by PCoIP components, it must be stored in /etc/pcoip-agent/ssl-certs in three .pem files, owned by the pcoip user, and only readable by the owning user:

  • pcoip-key.pem must contain an unlocked RSA key
  • pcoip-cert.pem must contain a certificate that signs the key in pcoip.pem
  • pcoip-cacert.pem must contain a CA certificate chain that validates the certificate in pcoip-cert.pem

Configure the Graphics Agent for Linux to use custom certificates

The Graphics Agent for Linux can be configured to look locally for certificates or to generate its own by setting the pcoip.ssl_cert_type directive in pcoip-agent.conf.

For more detailed information, see Configuring the Agent.

Select a Security Key Length

When the Graphics Agent for Linux is attempting to find a certificate in storage, the required key length can be set via the pcoip.ssl_cert_min_key_length directive in pcoip-agent.conf.

If the system cannot find a local certificate with the specified key length, it will either self-generate a certificate (if pcoip.ssl_cert_type is 0), or refuse the connection (if pcoip.ssl_cert_type is 1). This setting has no effect if pcoip.ssl_cert_type is set to 2.

For more detailed information, see Configuring the Agent.