HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

SSL/TLS Security

Trusted Server Certificates

For production deployments we recommend replacing the self-signed server certificates with server certificates issued by a trusted Certificate Authority (CA).

To set up trusted server certificates on PrivX servers:

  1. Obtain the Certificate-Signing Request (CSR), located in your PrivX server at

    ​​/etc/nginx/ssl/nginx.csr​​

    Enroll this CSR with your CA. In response, the CA should provide you with the following:

    • The server certificate.

    • The CA-certificate chain of the CA itself.

    📘

    Note

    ​​To certificate-signing authorities​​: The PrivX CSR contains ​subjectAltName​​ definitions for DNS and IP addresses. These are critical to PrivX operation and must be preserved in the signed server certificate.

  2. Copy the PEM (Base64) encoded server-certificate file to the ​ssl_certificate​​ location on the PrivX instance. By default, the location is:

    ​​/etc/nginx/ssl/nginx.crt​​

    Ensure that the server-certificate file has correct ownership, permissions, and SELinux context:

    # chown root:nginx /etc/nginx/ssl/nginx.crt
    # chmod 0640 /etc/nginx/ssl/nginx.crt
    # restorecon /etc/nginx/ssl/nginx.crt
    
  3. Update the trust anchor for PrivX microservices. To do this, run the following command (replace ​/path/to/ca_chain.crt​​ with the path to the CA-certificate-chain file):

    # /opt/privx/scripts/init_nginx.sh update-trust /path/to/ca_chain.crt​​
    

    📘

    Note

    In single-server deployments, provide the CA chain of the PrivX-server certificate. In HA deployments, provide the CA chain of the load-balancer certificate.

    ​​init_nginx.sh​​ requires PEM-encoded certificate files to have Unix line endings. If the command fails, ensure correct line endings in the CA-certificate-chain file, then rerun the command.

  4. Finally, restart the Nginx and PrivX services to start using the new server certificate:

    # systemctl restart nginx
    # systemctl restart privx
    

Trusted CA for Access Certificates

PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority.

📘

Note

The following procedures use ​<key_id>​ and ​<cert_id>​​ to substitute for PrivX-CA-key ID and the Authorizer-certificate ID respectively. Be careful not to mix them up.

To set up PrivX Authorizer with a trusted CA certificate:

  1. Gain root-terminal access to a PrivX server, and display the PrivX-CA-key ID by running:

    # /opt/privx/bin/keyvault-tool -name "PrivX CA Key" list-asymmetric
    
  2. Generate a Certificate-Signing Request (CSR) for the CA private key (replace ​<key_id>​​ with the PrivX-CA-key ID):

    # /opt/privx/bin/cert-tool -command create -type authorizer-ca \
    -subject "OU=PrivX Authorizer CA/CN=PrivX CA" \
    -key ​<key_id>​​ -csr -csrout privx-im-ca.csr
    

    This creates the CSR to the file ​privx-im-ca.csr​​ in your current working directory.

  3. Request a trusted CA to sign the CSR with the following constraints:

    • ​​keyUsage​ must include: ​Digital Signature, Key Agreement, Certificate Sign, CRL Sign​​

    • ​​basicConstraints​ must be: ​CA:TRUE, pathlen:0​​

    After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

    $ openssl x509 -text -noout -in ​privx-im-ca.crt ​​
    
  4. Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:

    # /opt/privx/bin/cert-tool -command list -type authorizer-ca
    

    Then delete the current Authorizer certificate (replace ​<cert_id>​​ with the Authorizer-certificate ID):

    # /opt/privx/bin/cert-tool -command delete -id ​<cert_id>​​
    

    Finally, import the signed certificate (replace ​<key_id> with the PrivX-CA-key ID, replace ​privx-im-ca.crt ​​ with the path to the signed certificate):

    # /opt/privx/bin/cert-tool -command import -type authorizer-ca \
    -key ​<key_id>​ -in ​privx-im-ca.crt​​
    
  5. On all PrivX servers, restart the PrivX services to apply the changes:

    # systemctl restart privx
    

    Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.

Allowed SSL Protocols and Ciphers for GUI Connections

Connections to the PrivX GUI are secured using TLS. The allowed SSL protocols and SSL ciphers may be adjusted if some browsers cannot establish connections to the PrivX GUI, or if you want to harden the PrivX instance.

The allowed SSL protocols and SSL ciphers are defined in the Nginx configuration file ​/etc/nginx/conf.d/privx.conf​​, by the parameters ​ssl_protocols​ and ​ssl_ciphers​​ respectively, similarly to the following:

...
http {
    sendfile on;
    server_tokens off;

    ​ssl_protocols  TLSv1.2;
    ssl_ciphers 'AESGCM+EECDH:AESGCM+EDH:AES+EECDH: ... ';​​

    tcp_nodelay on;
...

After any adjustments to Nginx settings, restart the Nginx web server to apply the changes:

# systemctl restart nginx

For enabling TLS 1.3 support for PrivX frontend, see Enabling TLS 1.3