1. RealVNC Help Center
  2. RealVNC Connect
  3. On-Prem Management Console

On-Prem Management Console - Certificate Requirements

Follow
Avatar
RealVNC Support Agent
Updated

In order to use the On-Prem Management Console, customers are required to use an SSL certificate to protect the communication between RealVNC Viewers, RealVNC Servers, and On-Prem Management Console, as this traffic occurs over HTTPS.

Customers who have an existing SSL Certificate currently in use for any internal web applications, should be able to re-use this. Alternatively, they can purchase an SSL certificate from a recognised provider, or create their own via OpenSSL or some other mechanism.

Please bare in mind that this certificate will need updating before it expires in order to ensure the proper functioning of the On-Prem Management Console.

In order to use a Certificate within the On-Prem Management Console, the following is needed:

  • A password protected ‘.p12’ file that contains the relevant SSL private and public keys in a `PKCS12` format.
  • A root or intermediate certificate from the certificate authority that issued the above keys in a ‘.PEM’ format.

The ‘.p12’ file will then be used during the install of the OPC MSI, along with its respective password.

The ‘.PEM' file will then be distributed to each RealVNC Viewer and RealVNC Server that interacts with the On-Prem Management Console to ensure that the communication is appropriately secured via HTTPS.

Key and Certificate Parameters

The Private & Public keys within your .p12 file should be configured with the below parameters in mind:

  • Bits = 2048
  • No optional CSR Attributes required
  • utf8only for DN Strings
  • Subject Key Identifier set to ‘hash’
  • CA set as ‘FALSE’
  • Key Usage set to ‘digitalSignature’ & 'keyEncipherment'
  • Set your subjectAltName & commonName to the domain you will be using for hosting OPC

Helper Scripts for Self-Signed Certificate Generation using OpenSSL

Windows (PowerShell)

# This script assumes you have installed OpenSSL for Windows
# https://slproweb.com/products/Win32OpenSSL.html


# === CONFIGURATION ===
$ORG="RealVNC-OPC"
$COUNTRY="GB"
$STATE="England"
$LOCALITY="Cambridge"
$DOMAIN="opc.example.com"     # <-- change this to your OPC hostname
$PASSWORD="YourPassword"      # <-- change this to your .p12 password
$DAYS_ROOT=3650                    # 10 years
$DAYS_INTERMEDIATE=1825            # 5 years
$DAYS_SERVER=825                   # ~2 years
$OpenSSL = "C:\Program Files\OpenSSL-Win64\bin\openssl.exe"

# Paths
$BaseDir = "$pwd\opc-certs"
$RootDir = "$BaseDir\root"
$IntDir = "$BaseDir\intermediate"
$ServerDir = "$BaseDir\server"

# Create directories
@($RootDir, "$RootDir\private", "$RootDir\certs",
  $IntDir, "$IntDir\private", "$IntDir\certs",
  $ServerDir) | ForEach-Object {
    if (!(Test-Path $_)) { New-Item -ItemType Directory -Force -Path $_ | Out-Null }
}

function Run-OpenSSL {
    param([string[]]$OpenSSLArgs)
    $argString = $OpenSSLArgs -join ' '
    Write-Host "Running: openssl $argString"
    $process = Start-Process -FilePath $OpenSSL -ArgumentList $argString -Wait -NoNewWindow -PassThru -RedirectStandardError "$env:TEMP\openssl_err.txt"
    if ($process.ExitCode -ne 0) {
        $err = Get-Content "$env:TEMP\openssl_err.txt" -Raw
        throw "OpenSSL failed: $argString`n$err"
    }
}

Write-Host "`n[*] Generating Root CA..."
Run-OpenSSL @("genrsa", "-out", "$RootDir\private\rootCA.key", "4096")
Run-OpenSSL @("req", "-x509", "-new", "-nodes", "-sha256", "-days", "$DAYS_ROOT",
              "-key", "$RootDir\private\rootCA.key",
              "-out", "$RootDir\certs\rootCA.crt",
              "-subj", "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=RootCA/CN=RealVNC-RootCA")

Write-Host "`n[*] Generating Intermediate CA..."
Run-OpenSSL @("genrsa", "-out", "$IntDir\private\intermediateCA.key", "4096")
Run-OpenSSL @("req", "-new", "-sha256",
              "-key", "$IntDir\private\intermediateCA.key",
              "-out", "$IntDir\intermediateCA.csr",
              "-subj", "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=IntermediateCA/CN=RealVNC-IntermediateCA")

# Intermediate extensions
$IntExt = "$IntDir\intermediate_ext.cnf"
@"
basicConstraints = CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
"@ | Out-File -Encoding ASCII $IntExt

Run-OpenSSL @("x509", "-req", "-in", "$IntDir\intermediateCA.csr",
              "-CA", "$RootDir\certs\rootCA.crt",
              "-CAkey", "$RootDir\private\rootCA.key",
              "-CAcreateserial",
              "-out", "$IntDir\certs\intermediateCA.crt",
              "-days", "$DAYS_INTERMEDIATE", "-sha256",
              "-extfile", $IntExt)

Write-Host "`n[*] Generating OPC/Server certificate..."
Run-OpenSSL @("genrsa", "-out", "$ServerDir\opc.key", "2048")
Run-OpenSSL @("req", "-new", "-sha256", "-key", "$ServerDir\opc.key",
              "-out", "$ServerDir\opc.csr",
              "-subj", "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=Server/CN=$DOMAIN")

$ServerExt = "$ServerDir\opc_ext.cnf"
@"
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
"@ | Out-File -Encoding ASCII $ServerExt

Run-OpenSSL @("x509", "-req", "-in", "$ServerDir\opc.csr",
              "-CA", "$IntDir\certs\intermediateCA.crt",
              "-CAkey", "$IntDir\private\intermediateCA.key",
              "-CAcreateserial",
              "-out", "$ServerDir\opc.crt",
              "-days", "$DAYS_SERVER", "-sha256",
              "-extfile", $ServerExt)

Write-Host "`n[*] Creating certificate chain..."
Get-Content "$IntDir\certs\intermediateCA.crt", "$RootDir\certs\rootCA.crt" | Set-Content "$BaseDir\ca-chain.crt"

Write-Host "`n[*] Creating P12 bundles..."
Run-OpenSSL @("pkcs12", "-export",
              "-inkey", "$ServerDir\opc.key",
              "-in", "$ServerDir\opc.crt",
              "-certfile", "$BaseDir\ca-chain.crt",
              "-out", "$ServerDir\opc.p12",
              "-name", '"RealVNC OPC Server"',
              "-passout", "pass:$PASSWORD")

Write-Host "`n[*] Creating PEM trust file for Viewers/Servers..."
Get-Content "$RootDir\certs\rootCA.crt" | Set-Content "$RootDir\certs\opc-trust.pem"


Write-Host "`n✅ All certificates and P12 bundles generated successfully in $BaseDir"
Write-Host ""
Write-Host "Upload:   $ServerDir\opc.p12   →  RealVNC OPC web UI"
Write-Host "Distribute: $RootDir\certs\opc-trust.pem →  RealVNC Server and Viewer hosts"
Write-Host ""

Linux (Bash)

#!/usr/bin/env bash
set -euo pipefail

# === CONFIGURATION ===
ORG="RealVNC-OPC"
COUNTRY="GB"
STATE="England"
LOCALITY="Cambridge"
DOMAIN="opc.example.com"     # <-- change this to your OPC hostname
PASSWORD="YourPassword"      # <-- change this to your .p12 password
DAYS_ROOT=3650                    # 10 years
DAYS_INTERMEDIATE=1825            # 5 years
DAYS_SERVER=825                   # ~2 years

# === OUTPUT DIRECTORY ===
OUTDIR="opc-certs"
mkdir -p "$OUTDIR"
cd "$OUTDIR"

echo "[*] Generating Root CA..."
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days "$DAYS_ROOT" -utf8 \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=PKI/CN=RealVNC-Root-CA" \
  -out rootCA.crt

echo "[*] Generating Intermediate CA..."
openssl genrsa -out intermediateCA.key 4096
openssl req -new -sha256 -key intermediateCA.key -utf8 \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=PKI/CN=RealVNC-Intermediate-CA" \
  -out intermediateCA.csr

cat > intermediate.ext <<EOF
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
EOF

openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key \
  -CAcreateserial -out intermediateCA.crt -days "$DAYS_INTERMEDIATE" -sha256 -extfile intermediate.ext

echo "[*] Generating OPC server key..."
openssl genrsa -out opc.key 2048

cat > opc.csr.conf <<EOF
[ req ]
default_bits        = 2048
prompt              = no
default_md          = sha256
distinguished_name  = dn
req_extensions      = req_ext
string_mask         = utf8only

[ dn ]
C  = $COUNTRY
ST = $STATE
L  = $LOCALITY
O  = $ORG
OU = OPC
CN = $DOMAIN

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = $DOMAIN
EOF

echo "[*] Creating OPC certificate signing request..."
openssl req -new -key opc.key -out opc.csr -config opc.csr.conf

cat > opc.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
EOF

echo "[*] Signing OPC certificate with Intermediate CA..."
openssl x509 -req -in opc.csr -CA intermediateCA.crt -CAkey intermediateCA.key \
  -CAcreateserial -out opc.crt -days "$DAYS_SERVER" -sha256 -extfile opc.ext

echo "[*] Creating certificate chain..."
cat opc.crt intermediateCA.crt rootCA.crt > opc-fullchain.pem

echo "[*] Creating PKCS#12 bundle for OPC..."
openssl pkcs12 -export \
  -inkey opc.key \
  -in opc-fullchain.pem \
  -out opc.p12 \
  -name "OPC Certificate" \
  -password pass:$PASSWORD

echo "[*] Creating PEM trust file for Viewers/Servers..."
cp rootCA.crt opc-trust.pem

echo ""
echo "✅ All done. Files generated in: $OUTDIR"
echo ""
echo "Upload:   opc.p12   →  RealVNC OPC web UI"
echo "Distribute: opc-trust.pem →  RealVNC Server and Viewer hosts"
echo ""
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.