SSL/TLS Security
Trusted Server Certificates
For production deployments we recommend replacing the self-signed server certificates with server certificates issued by a trusted Certificate Authority (CA).
To set up trusted server certificates on PrivX servers:
-
Obtain the Certificate-Signing Request (CSR), located in your PrivX server at
/etc/nginx/ssl/nginx.csr
Enroll this CSR with your CA. In response, the CA should provide you with the following:
-
The server certificate.
-
The CA-certificate chain of the CA itself.
Note
To certificate-signing authorities: The PrivX CSR contains subjectAltName definitions for DNS and IP addresses. These are critical to PrivX operation and must be preserved in the signed server certificate.
-
-
Copy the PEM (Base64) encoded server-certificate file to the ssl_certificate location on the PrivX instance. By default, the location is:
/etc/nginx/ssl/nginx.crt
Ensure that the server-certificate file has correct ownership, permissions, and SELinux context:
# chown root:nginx /etc/nginx/ssl/nginx.crt # chmod 0640 /etc/nginx/ssl/nginx.crt # restorecon /etc/nginx/ssl/nginx.crt
-
Update the trust anchor for PrivX microservices. To do this, run the following command (replace /path/to/ca_chain.crt with the path to the CA-certificate-chain file):
# /opt/privx/scripts/init_nginx.sh update-trust /path/to/ca_chain.crt
Note
In single-server deployments, provide the CA chain of the PrivX-server certificate. In HA deployments, provide the CA chain of the load-balancer certificate.
init_nginx.sh
requires PEM-encoded certificate files to have Unix line endings. If the command fails, ensure correct line endings in the CA-certificate-chain file, then rerun the command. -
Finally, restart the Nginx and PrivX services to start using the new server certificate:
# systemctl restart nginx # systemctl restart privx
Trusted CA for Access Certificates
PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority.
Note
The following procedures use
<key_id>
and<cert_id>
to substitute for PrivX-CA-key ID and the Authorizer-certificate ID respectively. Be careful not to mix them up.
To set up PrivX Authorizer with a trusted CA certificate:
-
Gain root-terminal access to a PrivX server, and display the PrivX-CA-key ID by running:
# /opt/privx/bin/keyvault-tool -name "PrivX CA Key" list-asymmetric
-
Generate a Certificate-Signing Request (CSR) for the CA private key (replace
<key_id>
with the PrivX-CA-key ID):# /opt/privx/bin/cert-tool -command create -type authorizer-ca \ -subject "OU=PrivX Authorizer CA/CN=PrivX CA" \ -key <key_id> -csr -csrout privx-im-ca.csr
This creates the CSR to the file
privx-im-ca.csr
in your current working directory. -
Request a trusted CA to sign the CSR with the following constraints:
-
keyUsage
must include: Digital Signature, Key Agreement, Certificate Sign, CRL Sign -
basicConstraints
must be: CA:TRUE, pathlen:0
After the trusted CA provides you with the signed certificate, you may verify its constraints with (replace
privx-im-ca.crt
with the path to the signed certificate):$ openssl x509 -text -noout -in privx-im-ca.crt
-
-
Replace the Authorizer certificate. First, obtain the ID of the current Authorizer certificate:
# /opt/privx/bin/cert-tool -command list -type authorizer-ca
Then delete the current Authorizer certificate (replace
<cert_id>
with the Authorizer-certificate ID):# /opt/privx/bin/cert-tool -command delete -id <cert_id>
Finally, import the signed certificate (replace
<key_id>
with the PrivX-CA-key ID, replace privx-im-ca.crt
with the path to the signed certificate):# /opt/privx/bin/cert-tool -command import -type authorizer-ca \ -key <key_id> -in privx-im-ca.crt
-
On all PrivX servers, restart the PrivX services to apply the changes:
# systemctl restart privx
Subsequent certificates issued by PrivX are signed using the new trusted Authorizer CA certificate.
Allowed SSL Protocols and Ciphers for GUI Connections
Connections to the PrivX GUI are secured using TLS. The allowed SSL protocols and SSL ciphers may be adjusted if some browsers cannot establish connections to the PrivX GUI, or if you want to harden the PrivX instance.
The allowed SSL protocols and SSL ciphers are defined in the Nginx configuration file /etc/nginx/conf.d/privx.conf
, by the parameters ssl_protocols
and ssl_ciphers
respectively, similarly to the following:
...
http {
sendfile on;
server_tokens off;
ssl_protocols TLSv1.2;
ssl_ciphers 'AESGCM+EECDH:AESGCM+EDH:AES+EECDH: ... ';
tcp_nodelay on;
...
After any adjustments to Nginx settings, restart the Nginx web server to apply the changes:
# systemctl restart nginx
For enabling TLS 1.3 support for PrivX frontend, see Enabling TLS 1.3
Updated over 3 years ago