SSL/TLS Security
Trusted Server Certificates
For production deployments we recommend replacing the self-signed server certificates with server certificates issued by a trusted Certificate Authority (CA).
To set up trusted server certificates on PrivX servers:
-
Obtain the Certificate-Signing Request (CSR), located in your PrivX server at
/etc/nginx/ssl/nginx.csr
Enroll this CSR with your CA. In response, the CA should provide you with the following:
-
The server certificate.
-
The CA-certificate chain of the CA itself.
Note
To certificate-signing authorities: The PrivX CSR contains subjectAltName definitions for DNS and IP addresses. These are critical to PrivX operation and must be preserved in the signed server certificate.
-
-
Copy the PEM (Base64) encoded server-certificate file to the ssl_certificate location on the PrivX instance. By default, the location is:
/etc/nginx/ssl/nginx.crt
Ensure that the server-certificate file has correct ownership, permissions, and SELinux context:
# chown root:nginx /etc/nginx/ssl/nginx.crt # chmod 0640 /etc/nginx/ssl/nginx.crt # restorecon /etc/nginx/ssl/nginx.crt
-
Update the trust anchor for PrivX microservices. To do this, run the following command (replace /path/to/ca_chain.crt with the path to the CA-certificate-chain file):
# /opt/privx/scripts/init_nginx.sh update-trust /path/to/ca_chain.crt
Note
In single-server deployments, provide the CA chain of the PrivX-server certificate. In HA deployments, provide the CA chain of the load-balancer certificate.
init_nginx.sh
requires PEM-encoded certificate files to have Unix line endings. If the command fails, ensure correct line endings in the CA-certificate-chain file, then rerun the command. -
Finally, restart the Nginx and PrivX services to start using the new server certificate. Run the following as
root
:systemctl restart nginx systemctl restart privx
-
PrivX components (Extenders, Carriers, and Web Proxies) must be configured to trust the new PrivX-server certificate. You can do this by redeploying the components.
Trusted CA for Access Certificates
PrivX Authorizer issues access certificates using its own CA, which is self-signed by default. For production deployments we recommend replacing the Authorizer CA with one signed by a trusted certificate authority, as described in PrivX CA as Sub CA in CA Hierarchy.
Allowed SSL Protocols and Ciphers for GUI Connections
Connections to the PrivX GUI are secured using TLS. The allowed SSL protocols and SSL ciphers may be adjusted if some browsers cannot establish connections to the PrivX GUI, or if you want to harden the PrivX instance.
The allowed SSL protocols and SSL ciphers are defined in the Nginx configuration file /etc/nginx/conf.d/privx.conf
, by the parameters ssl_protocols
and ssl_ciphers
respectively, similarly to the following:
...
http {
sendfile on;
server_tokens off;
ssl_protocols TLSv1.2;
ssl_ciphers 'AESGCM+EECDH:AESGCM+EDH:AES+EECDH: ... ';
tcp_nodelay on;
...
After any adjustments to Nginx settings, restart the Nginx web server to apply the changes:
# systemctl restart nginx
For enabling TLS 1.3 support for PrivX frontend, see Enabling TLS 1.3
Updated almost 3 years ago