How to use custom host certificates with NoMachine v9 (Host, Client, and CRL Configuration)
Since NoMachine version 9.0.188, the client is able to use a host certificate and private key signed by a Certificate Authority (CA). The NoMachine Player can then verify the host’s identity using the CA’s certificate. In addition, NoMachine Player supports the use of a Certificate Revocation List (CRL) to detect and reject revoked certificates.
Table of Contents
1. Host configuration: installing a CA-signed certificate and key
2. Client configuration: trusting a CA
3. Client configuration: using a Certificate Revocation List (CRL)
1. Host configuration: installing a CA-signed certificate and key
Step 1: Obtain certificate and key
Use a certificate and private key issued by a trusted Certificate Authority (CA). You will need:
- the host’s private key file (e.g. host.key)
- the host’s certificate file (e.g. host.crt), signed by the CA
Step 2: Replace host key and certificate
The default files:
nx_host_rsa_key (private key)
nx_host_rsa_key.crt (certificate)
are in the following directories:
on Linux/macOS, /usr/NX/etc/keys/host/
on Windows, C:\Program files\NoMachine\etc\keys\host\ for 64bit packages on 64bit systems or C:\Program files (x86)\NoMachine\etc\keys\host\ for 32bit packages
Make a backup of the original files and place the new files in the appropriate NoMachine directory, replacing the existing default ones.
Ensure that the private key file has restricted permissions and is readable only by the nx user, as the original one.
Step 3: Restart the NoMachine Server
You can do that via UI, or from command line.
On Linux/macOS, from a terminal:
sudo /etc/NX/nxserver --restart
On Windows, from CMD prompt run as administrator:
%ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe --restart
2. Client configuration: trusting a CA
File Format and Requirements
Format: PEM (Base64-encoded X.509)
Content: One or more CA certificates
Accepted extensions: .pem, .crt, .ca-bundle
Comments and whitespace outside the certificate blocks are allowed
Default CA Paths are:
| Platform | Location |
| macOS | /etc/ssl/cert.pem |
| Linux | /etc/ssl/certs/ca-certificates.crt, /etc/pki/tls/certs/ca-bundle.crt |
| Windows | Not supported by default (manual configuration required) |
| Android | not supported |
| iOS | not supported |
NoMachine Player automatically loads CA certificates from these default locations on supported platforms.
Manual CA Configuration via player.cfg
If a custom CA certificate file is required, it must be specified manually in the client configuration.
The player.cfg file is placed in the user's home/.nx/config directory:
$HOME/.nx/config/player.cfg on Linux and macOS
%USERPROFILE%\.nx\config\player.cfg on Windows
Note that the .nx folder is hidden on Windows. To find it, write: %USERPROFILE%\.nx in the address bar or the file browser.
Both file and path strings are parsed from a single player.cfg key named "Certificate authority". Use a colon : to separate multiple file paths.
This is an example for Linux:
<option key="Certificate authority" value="/etc/ssl/certs/ca-certificates.crt:/etc/pki/tls/certs/ca-bundle.crt" />
3. Client configuration: using a Certificate Revocation List (CRL)
The Certificate Revocation List (CRL) is used to identify certificates that have been revoked by the issuing CA.
Only one file can be used for CRL validation, that file may contain multiple CRL entries.
File Format
Format: PEM
Content:
-----BEGIN X509 CRL-----
(Base64-encoded CRL data)
-----END X509 CRL-----
Line breaks, whitespace, and comments outside the BEGIN/END markers are ignored.
CRL Configuration via player.cfg
There is not a default CRL location.
To enable CRL checking, explicitly add the path to the CRL file, for example:
<option key="Certificate revocation list" value="/path/to/crl/list.pem" />
If the CRL file is invalid or missing, the revocation checking will be skipped.