Deleting the wiki page 'Secure your connection' cannot be undone. Continue?
“X.509” is a standard type of certificate commonly used for websites. However, they are also useful for securing TigerVNC.
Certificates allow two important security functions.
When it comes to obtaining a certificate, you can use an External Certificate Authority if you own a domain name, or create a self-signed certificate.
External Certificate Authorities issue certificates for public domain names but not local network IP addresses. As a result you need to own a domain name (like example.com
). The basic setup would be something like the following.
example.com
, rename your local network to something like local.example.com
computer1.local.example.com
. Assuming computer1 is not available to the public internet, you need to use a DNS-01 challenge. (If you are using Let’s Encrypt, see https://letsencrypt.org/docs/challenge-types/#dns-01-challenge)computer1.local.example.com
Note: External Certificate Authorities have certificate transparency requirements that post the details of every certificate publicly. So don’t name your computers after any secret company projects.
Once you obtain your certificate, see Use the certificate with TigerVNC
If you do not own a domain name, or prefer not to use an external certificate authority, you can create a self-signed certificate.
Creating a certificate differs a little depending on whether you are on Windows or Linux. Jump to the heading that matches your system.
Unfortunately TigerVNC doesn’t understand Windows-style certificates saved in the Windows certificate store or that end with the file extension .pfx
. However, you can download OpenSSL to do the job.
On the computer with the TigerVNC server:
req -x509 -newkey rsa -days 365 -nodes -config openssl.cnf -keyout vnc-server-private.pem -out vnc-server.pem -subj '/CN=192.168.1.5' -addext "subjectAltName=IP:192.168.1.5"
sudo yum install openssl
sudo apt-get install openssl
openssl req -x509 -newkey rsa -days 365 -nodes -config openssl.cnf -keyout vnc-server-private.pem -out vnc-server.pem -subj '/CN=192.168.1.5' -addext "subjectAltName=IP:192.168.1.5"
On Ubuntu (and related distros), you may also need to change the path to openssl.cnf
to /usr/lib/ssl/openssl.cnf
The private key should remain private to your computer. If you have syncing services (such as OneDrive, Dropbox, etc.), consider moving “vnc-server-private.pem” to a location that isn’t synced or backed up. If you ever loose the private key, just create a new certificate and private key.
The certificate you created expires in 365 days. A year from now, you will need to go through these steps again and create a new certificate.
On the computer with TigerVNC server:
On the remote (client) computer:
Deleting the wiki page 'Secure your connection' cannot be undone. Continue?