Forum / NoMachine Cloud Server Products / ECS V8: Update nxd certificates
- This topic has 7 replies, 2 voices, and was last updated 6 hours, 3 minutes ago by
fisherman.
-
AuthorPosts
-
June 27, 2025 at 18:04 #53602
Steve92
ParticipantHi!
I need to update nxd certificate on dozens of servers (ED, SBTS).
Each certificate has to be copied from remote servers to ECS to avoid authentication warnings.
How can I do that in a script after collecting all certificates of remote machines ?
Where on ECS do I have to copy certificates from these remote machines ?
Thanks,
Regards,
Steve.
June 30, 2025 at 16:47 #53631Steve92
ParticipantHi!
Remote nodes are on VLAN administred by local admins.
They don’t have rights on ECS that has its own dedicated admin.
I’ve analyzed the subject and if I well understand we could use –keyadd to register the public keys of nxd of remote nodes in
/var/NX/nx/.nx/config/authorized.crt on ECS.
* Local admin
Each local admin generates new 4096-bit nxd certificate (nx_host_rsa_key) and its public key (nx_host_rsa_key.crt) for all nodes on his VLAN.
A prefix is added to each key:
cp /usr/NX/etc/keys/host/nx_host_rsa_key.crt <source_hostname>_nx_host_rsa_key.crt
All the keys are sent to ECS admin.
* ECS Admin
For each pub key received :
sudo /etc/NX/nxserver –keyadd <source_hostname>_nx_host_rsa_key.crt
=> this command updates /var/NX/nx/.nx/config/authorized.crt
Q1- Please, could you validate my understanding and this procedure ?
Q2- What about inverse mode connection if nxd certificate is changed on remote node ?
Thanks,
Regards,
Steve.
July 1, 2025 at 09:24 #53641fisherman
ModeratorHi,
If I understood your goal correctly, you’re looking to add a node to ECS without requiring password authentication. You can achieve this by following the steps below:
To add a node to ECS
#1. On the node
scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub
#2. On ECS
sudo /etc/NX/nxserver --nodeadd $NODE_IP --node-name $NODE_NAME
To perform the reverse ( adding an inverse node to an ECS )
Follow the same procedure, but switch the roles:
– Run step #1 on the ECS
– Run step #2 on the nodeWould you need help to make the script for this flow?
July 1, 2025 at 15:51 #53655Steve92
ParticipantHi Fisherman,
Thanks for this quick answer but it is not exactly what I’d want.
Nodes are already added to ECS in “direct connection mode” or “inverse connection mode”.
For security reasons, keys have to be regenerated with 4096-bit instead of 2048-bit standard length.
One part of the subject is the keys for the nxd certificates of the nodes.
nxd certificates will be regenerated by local admin for all nodes of their VLAN (they don’t have admin rights on ECS).
The
nx_host_rsa_key.crt
files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?(a script is needed to handle many .crt files )
When I check the last modification date of
/var/NX/nx/.nx/config/authorized.crt
,it does not seem to be the right file (unchanged date).
/var/NX/nx/.nx/config/cllient.crt
seems to be the right file to put .crt of certificate from nxd of nodes.
The .crt files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?
In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?
I hope it is more clear.
Thanks,
Regards,
Steve.
July 2, 2025 at 11:02 #53660fisherman
ModeratorTo replace node certificates, please follow this article:
https://kb.nomachine.com/DT07S00229#7LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa -n 4096
And then, based on the direct or inverse node, do the same as mentioned in previous post:
#1. On the node
scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub
#2. On ECS
sudo /etc/NX/nxserver --nodedit #NODE_NAME
July 2, 2025 at 17:12 #53669Steve92
ParticipantHi,
For the moment, my question is about the SSL certificate for nxd and not RSA key pair.
I kwow the article you quote, but alas it is not precise about how to deal with change of SSL certificate for nxd. 🙁
Hence my question : “In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?”
Regards,
Steve.
July 8, 2025 at 14:14 #53695Steve92
ParticipantHello,
Any help would be greatly appreciated ! 😉
Regards,
Steve.
July 21, 2025 at 16:29 #53812fisherman
ModeratorHi,
Apologize that I have missed your response.
To clarify, there’s no need for the node administrators to manually copy or share SSL certificate files when the certificate for nxd is changed.
As you mentioned (or I understood), the nodes are managed by different administrators who will generate new certificates
After the new certificate is generated on the node, ECS Admin, instead of managing certificates manually, will run the following command:
sudo /etc/NX/nxserver --nodeedit <NODE_NAME>
This command connects to the node, detects the SSL certificate mismatch, and prompts whether to accept the new certificate. Once confirmed, the certificate is automatically updated. There is no need to exchange or distribute cert files manually.
-
AuthorPosts
You must be logged in to reply to this topic. Please login here.