PCoIP requires a certificate to establish a session. By default, PCoIP agents generate a self-signed certificate that secures the PCoIP session. Each component in the PCoIP system can generate these self-signed certificates, which will automatically work together without requiring any configuration.
You can, if needed, create and deploy your own custom certificates instead of relying on Teradici's self-signed certificates. This section explains how to create and implement custom certificates.
Using Custom Security Certificates¶
You can use OpenSSL, Microsoft Certification Authority, or a public certificate authority (CA) of your choice to create your certificates. If you are not using OpenSSL, consult your certificate authority's documentation for instructions on creating certificates in a Windows Certificate Store-compatible format.
The procedures is this section use OpenSSL to generate certificates that will satisfy most security scanner tools when the root signing certificate is known to them.
Caution: Certificates are stored in the Windows Certificate Store
Certificates are stored in the Windows certificate store. If you have old certificates that are stored on the host, they should be deleted to avoid conflicts or confusion.
Custom Certificate Guidelines¶
If you choose to use your own certificates, follow these general guidelines:
-
Save your root CA signing certificate in a safe place for deployment to clients.
-
Back up private and public keys to secure locations.
-
Never store files created when generating keys or certificates on network drives without password protection.
-
Once certificates have been deployed to the Windows certificate store, the files they came from are no longer needed and can be deleted.
-
Standard automatic tools, such as Automatic Certificate Enrollment and Group Policy, can be used for deploying automatically generated certificates. Both Automatic Certificate Enrollment and Group Policies are implemented through Active Directory. See MSDN Active Directory documentation for more information.
Pre-session Encryption Algorithms¶
Connections are negotiated using the following supported RSA cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_AES_256_GCM_SHA384
Note: Minimum SSL version
These Max Compatibility security level cipher suites have a minimum required SSL version of TLS 1.2.
Creating And Installing Custom Certificates¶
This section describes how to replace Teradici's default certificates with your own custom certificates.
Note: These procedures use OpenSSL
The procedures in this section use OpenSSL to create private keys, certificate signing requests, and certificates. To use OpenSSL, install Visual C++ 2008 Restributables and Win32 OpenSSL Light v1.0.2g+.
For detailed information about OpenSSL, refer to OpenSSL documentation.
To replace Teradici's default certificates with custom certificates:
-
Install required OpenSSL components on your system.
-
Create a private key and certificate pair for the PCoIP Agent.
-
Install the agent's private key and certificate in the Windows Certificate Store for each desktop.
-
Configure the certificate mode for each desktop.
-
Install the internal root CA in your PCoIP clients.
Installing OpenSSL Requirements¶
Install the following components on your Windows machine:
-
Visual C++ 2008 Redistributables
-
Win32 OpenSSL v1.0.2g Light (or later).
When prompted during OpenSSL installation, copy the OpenSSL DLLs to the OpenSSL binaries directory; for example, C:\OpenSSL-Win32\bin.
Note: Examples use the default installation directory
The following examples assume the default OpenSSL installation directory: C:\OpenSSL-Win32.
Creating the Internal Root CA Certificate¶
This section shows how to create a root CA private key, how to use this key to self-sign and generate an internal root CA certificate, and how to add X.509 v3 extensions to a certificate that restrict how the certificate can be used.
Creating a Root CA Private Key¶
To create a root CA private key in RSA format:
-
Open a command prompt (cmd) and navigate to the OpenSSL binaries directory (c:\OpenSSL-Win32\bin).
-
Type
openssl
and press Enter to launch OpenSSL.
Note: OpenSSL may need help finding the .cfg file
If you see this error:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
you will need to set the OPENSSL_CONF variable before proceeding.
1 To create 3072-bit root RSA key named rootCA.key, use one of the following commands:
* For an unsecured key, type:
```bash
genrsa -out rootCA.key 3072
```
* For a password-protected key, add the `-aes128` or `-aes256` argument:
```bash
genrsa -out rootCA.key 3072 -aes256
```
Password-protected keys require the password to be entered each time they are used.
Caution: Store your private root key in a safe location
Anyone with access to your private root key can use it to generate certificates that your PCoIP clients will accept.
Setting the OPENSSL_CONF variable¶
If OpenSSL is unable to find its configuration file, you may need to set the OPENSSL_CONF variable.
To set the OPENSSL_CONF variable:
-
Exit OpenSSL.
-
Type the following command:
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
-
Type
ssl
and press Enter to continue with the step you were performing when you saw the error.
Self-signing and Creating the Internal Root CA Certificate¶
Now that we have our private key, we will use it to generate a self-signed X.509 root CA certificate called rootCA.pem that is valid for 1095 days (1095 days is three years, ignoring leap days).
To create the root CA certificate:
-
Type the following command. This command creates a certificate that is valid for 3 years (1095 days). Customize the
-days
parameter to customize the certificate lifetime:req -x509 -new -nodes -key rootCA.key -days 1095 -out rootCA.pem
An interactive script will run, which prompts you to enter values for several fields.Follow the prompts to enter field values:Country NameOptional. Use one of the ISO 3166-1 alpha-2 country codes. State or Province NameOptionalLocality nameOptionalOrganization NameOptionalCommon nameRequired. Enter a name for your root CA (for example, certificates.mycompany.com)Email addressOptional. Enter an administrative alias email if you use this field. Note: Field values can be templatizedIf you will be creating a lot of certificates, consider using a configuration file that contains global field values. See http://www.openssl.org/docs for more information.