SSL/TLS Security

Trusted Server Certificates

For production deployments we recommend replacing the self-signed server certificates with server certificates issued by a trusted Certificate Authority (CA).

To set up trusted server certificates on PrivX servers:

  1. Obtain the Certificate-Signing Request (CSR), located in your PrivX server at

    ​​/etc/nginx/ssl/nginx.csr​​

    Enroll this CSR with your CA. In response, the CA should provide you with the following:

    • The server certificate.

    • The CA-certificate chain of the CA itself.

    📘

    Note

    ​​To certificate-signing authorities​​: The PrivX CSR contains ​subjectAltName​​ definitions for DNS and IP addresses. These are critical to PrivX operation and must be preserved in the signed server certificate.

  2. Copy the PEM (Base64) encoded server-certificate file to the ​ssl_certificate​​ location on the PrivX instance. By default, the location is:

    ​​/etc/nginx/ssl/nginx.crt​​

    Ensure that the server-certificate file has correct ownership, permissions, and SELinux context:

    # chown root:nginx /etc/nginx/ssl/nginx.crt
    # chmod 0640 /etc/nginx/ssl/nginx.crt
    # restorecon /etc/nginx/ssl/nginx.crt
    
  3. Update the trust anchor for PrivX microservices. To do this, run the following command (replace ​/path/to/ca_chain.crt​​ with the path to the CA-certificate-chain file):

    # /opt/privx/scripts/init_nginx.sh update-trust /path/to/ca_chain.crt​​
    

    📘

    Note

    In single-server deployments, provide the CA chain of the PrivX-server certificate. In HA deployments, provide the CA chain of the load-balancer certificate.

    ​​init_nginx.sh​​ requires PEM-encoded certificate files to have Unix line endings. If the command fails, ensure correct line endings in the CA-certificate-chain file, then rerun the command.

  4. Finally, restart the Nginx and PrivX services to start using the new server certificate. Run the following as root:

    systemctl restart nginx
    systemctl restart privx
    
  5. PrivX components (Extenders, Carriers, and Web Proxies) must be configured to trust the new PrivX-server certificate. You can do this by redeploying the components.

Trusted CA for Access Certificates

PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority, as described in PrivX CA as Sub CA in CA Hierarchy.

Allowed SSL Protocols and Ciphers for GUI Connections

Connections to the PrivX GUI are secured using TLS. The allowed SSL protocols and SSL ciphers may be adjusted if some browsers cannot establish connections to the PrivX GUI, or if you want to harden the PrivX instance.

The allowed SSL protocols and SSL ciphers are defined in the Nginx configuration file ​/etc/nginx/conf.d/privx.conf​​, by the parameters ​ssl_protocols​ and ​ssl_ciphers​​ respectively, similarly to the following:

...
http {
    sendfile on;
    server_tokens off;

    ​ssl_protocols  TLSv1.2;
    ssl_ciphers 'AESGCM+EECDH:AESGCM+EDH:AES+EECDH: ... ';​​

    tcp_nodelay on;
...

After any adjustments to Nginx settings, restart the Nginx web server to apply the changes:

# systemctl restart nginx

For enabling TLS 1.3 support for PrivX frontend, see Enabling TLS 1.3


Did this page help you?