Security Certificates in PCoIP Agents¶
PCoIP requires a certificate to establish a session. By default, PCoIP agents generate a self-signed certificate that secures the PCoIP session. Each component in the PCoIP system can generate these self-signed certificates, which will automatically work together without requiring any configuration.
You can, if needed, create and deploy your own custom certificates instead of relying on Teradici's self-signed certificates. This section explains how to create and implement custom certificates.
Using Custom Security Certificates¶
You can use OpenSSL, Microsoft Certification Authority, or a public certificate authority (CA) of your choice to create your certificates. If you are not using OpenSSL, consult your certificate authority's documentation for instructions on creating certificates in a Windows Certificate Store-compatible format.
The procedures is this section use OpenSSL to generate certificates that will satisfy most security scanner tools when the root signing certificate is known to them.
Caution: Certificates are stored in the Windows Certificate Store
Certificates are stored in the Windows certificate store. If you have old certificates that are stored on the host, they should be deleted to avoid conflicts or confusion.
Custom Certificate Guidelines¶
If you choose to use your own certificates, follow these general guidelines:
-
Save your root CA signing certificate in a safe place for deployment to clients.
-
Back up private and public keys to secure locations.
-
Never store files created when generating keys or certificates on network drives without password protection.
-
Once certificates have been deployed to the Windows certificate store, the files they came from are no longer needed and can be deleted.
-
Standard automatic tools, such as Automatic Certificate Enrollment and Group Policy, can be used for deploying automatically generated certificates. Both Automatic Certificate Enrollment and Group Policies are implemented through Active Directory. See MSDN Active Directory documentation for more information.
Pre-session Encryption Algorithms¶
Connections are negotiated using the following supported RSA cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Note: Minimum SSL version
These Max Compatibility security level cipher suites have a minimum required SSL version of TLS 1.2.
Custom Security Certificates¶
In order for a CA signed certificate to be loadable by PCoIP components, it must be stored in /etc/pcoip-agent/ssl-certs in three .pem files, owned by the pcoip user, and only readable by the owning user:
- pcoip-key.pem must contain an unlocked RSA key
- pcoip-cert.pem must contain a certificate that signs the key in pcoip.pem
- pcoip-cacert.pem must contain a CA certificate chain that validates the certificate in pcoip-cert.pem
Configure the Graphics Agent for Linux to use custom certificates¶
The Graphics Agent for Linux can be configured to look locally for certificates or to generate its own by setting the pcoip.ssl_cert_type
directive in pcoip-agent.conf.
For more detailed information, see Configuring the Agent.
Select a Security Key Length¶
When the Graphics Agent for Linux is attempting to find a certificate in storage, the required key length can be set via the pcoip.ssl_cert_min_key_length
directive in pcoip-agent.conf.
If the system cannot find a local certificate with the specified key length, it will either self-generate a certificate (if pcoip.ssl_cert_type
is 0), or refuse the connection (if pcoip.ssl_cert_type
is 1). This setting has no effect if pcoip.ssl_cert_type
is set to 2.
For more detailed information, see Configuring the Agent.