Security Certificates in PCoIP Agents¶
PCoIP requires a certificate to establish a session. By default, PCoIP agents generate a self-signed certificate that secures the PCoIP session. Each component in the PCoIP system can generate these self-signed certificates, which will automatically work together without requiring any configuration.
You can, if needed, create and deploy your own custom certificates instead of relying on Teradici's self-signed certificates. This section explains how to create and implement custom certificates.
Using Custom Security Certificates¶
You can use OpenSSL, Microsoft Certification Authority, or a public certificate authority (CA) of your choice to create your certificates. If you are not using OpenSSL, consult your certificate authority's documentation for instructions on creating certificates in a Windows Certificate Store-compatible format.
The procedures is this section use OpenSSL to generate certificates that will satisfy most security scanner tools when the root signing certificate is known to them.
Caution: Certificates are stored in the Windows Certificate Store
Certificates are stored in the Windows certificate store. If you have old certificates that are stored on the host, they should be deleted to avoid conflicts or confusion.
Custom Certificate Guidelines¶
If you choose to use your own certificates, follow these general guidelines:
-
Save your root CA signing certificate in a safe place for deployment to clients.
-
Back up private and public keys to secure locations.
-
Never store files created when generating keys or certificates on network drives without password protection.
-
Once certificates have been deployed to the Windows certificate store, the files they came from are no longer needed and can be deleted.
-
Standard automatic tools, such as Automatic Certificate Enrollment and Group Policy, can be used for deploying automatically generated certificates. Both Automatic Certificate Enrollment and Group Policies are implemented through Active Directory. See MSDN Active Directory documentation for more information.
Pre-session Encryption Algorithms¶
Connections are negotiated using the following supported RSA cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
Note: Minimum SSL version
These Max Compatibility security level cipher suites have a minimum required SSL version of TLS 1.0.
In-session Encryption Algorithms¶
Once a PCoIP session has been negotiated and the connection established, all PCoIP communications are secured by the AES-256-GCM session encryption algorithm, or AES-128-GCM if AES-256-GCM is unavailable. These settings can be configured on the agent.