Introduction

1. Keys and Certificates

Keys and Certificates are used to secure the communication between two entities. In a NoMachine infrastructure, communications are established between:

1. the end-user's device (NoMachine client or the browser) and the NoMachine server to which the user connects;
2. the end-user's device and the end-point host machine, e.g. a NoMachine server federated under a Cloud Server;
3. the Cloud Server and the NoMachine servers which are nodes of this Cloud Server;
4. the Enterprise Terminal Server and its Enterprise Terminal Server Nodes ;
5. two NoMachine servers in a failover cluster.

All these communication channels are encrypted and protected by Certificates or pairwise Keys provided with the NoMachine installation. If you may wish to replace any of them with your own Keys and Certificates, please follow instructions in the next sections.

Some remarks:

1. All instructions are intended to be run from console and require an account with administrative privileges: 'root' on Linux and Mac (use a 'sudo' user if you don't have the 'root' account on your system and add the sudo prefix to all commands) and an administrator user on Windows. On Windows, execute the CMD shell as administrator.
2. Instructions use the NoMachine nxkeygen tool, as an alternative, you can use the standard ssh-keygen command from OpenSSH on Linux and macOS.
   On Windows you can use for example PuTTYgen (https://www.puttygen.com). You need to ensure that the key-pair is in OpenSSH format or convert it. To do that choose the key file in the PuTTYgen main window. Then go to Conversions->Export OpenSSH key to export your private key and save it.
3. By default, keys and certificates are generated by nxkeygen with 2048 bit lenght, specify the -n option for a different lenght.
4. Instructions refers to installation directory which is the installation directory of the NoMachine server, by default:
   /usr/NX on Linux
   /Applications/NoMachine.app/Contents/Frameworks/ on macOS
   %PROGRAMFILES%\NoMachine\ on Windows

2. The SSL certificate for nxd

The nxd program is the NoMachine Network Daemon resident on the server host (any of the NoMachine servers and the Enterprise Terminal Server Node) necessary to accept connections through NX protocol. Its SSL certificate is made of:
installation directory/etc/keys/host/nx_host_rsa_key.crt
installation directory/etc/keys/host/nx_host_rsa_key

How to generate and use a new certificate and private key
STEP 1- generate a new certificate and private key for nxd. The general format of the command is:

installation directory/bin/nxkeygen -k privatekey -c certificate [-n length]

On Linux it's necessary to set LD_LIBRARY_PATH, i.e. :

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_host_rsa_key -c nx_host_rsa_key.crt -n 4096

Similarly, on macOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_host_rsa_key -c nx_host_rsa_key.crt -n 4096

On Windows:

$ %PROGRAMFILES%\NoMachine\bin\nxkeygen  -k nx_host_rsa_key -c nx_host_rsa_key.crt -n 4096

Ensure that the new certificate and key have the same name of the original ones and proper permissions and ownership.
On Linux they should look like:
-rw------- 1 nx root 1675 2013-11-18 12:18 nx_host_rsa_key
-rw-r--r-- 1 nx root 1090 2013-11-18 12:18 nx_host_rsa_key.crt
and on macOS:
-rw------- 1 nx wheel 1679 Apr 8 16:21 nx_host_rsa_key
-rw-r--r-- 1 nx wheel 1090 Apr 8 16:21 nx_host_rsa_key.crt

Restarting nxd is not necessary.

STEP 2- For web sessions it's necessary to update the client.crt by adding content of the new certificate nx_host_rsa_key.crt.

The certificate is:
/var/NX/nxhtd/.nx/config/client.crt on Linux
/Library/Application\ Support/NoMachine/var/nxhtd/.nx/config/client.crt on Mac
C:\ProgramData\NoMachine\nxhtd\.nx\config\client.crt on Windows.

For example, instructions on Linux if the new certificate is placed in /usr/NX:

$ echo "Host:localhost" > /var/NX/nxhtd/.nx/config/client.crt
$ cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt
$ echo "Host:127.0.0.1" >> /var/NX/nxhtd/.nx/config/client.crt
$ cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt

Both entries for Host:localhost and Host:127.0.0.1 must be present in client.crt which should look like:
Host:localhost
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(......)
-----END CERTIFICATE-----
Host:127.0.0.1
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(....)
-----END CERTIFICATE-----

3. The SSL certificate for nxhtd

The nxhtd program is the NoMachine Apache-based web server included in any of the NoMachine server installations (except NoMachine free) and necessary for accepting connections by the web. In case of Enterprise Terminal Server + Enterprise Terminal Server Nodes it's provided by the Enterprise Terminal Server and it's not installed on the remote nodes.

Installation comes with a self-signed a SSL Certificate File and SSL Certificate Key file intended to be just a sample. They are respectively, for default installation path:
Linux
/usr/NX/etc/keys/host/ht_host_rsa_key.crt
/usr/NX/etc/keys/host/ht_host_rsa_key
macOS
/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key.crt
/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key
Windows
%PROGRAMFILES%\NoMachine\etc\ht_host_rsa_key.crt
%PROGRAMFILES%\NoMachine\etc\keys\host\ht_host_rsa_key

Administrators have to replace the sample SSL Certificate File and Key File with their own certificate self-signed or acquired from a CA.

How to generate a new (self-signed) certificate and apply it
The general format of the command to generate a new certificate and private key for nxhtd is:

installation directory/bin/nxkeygen -k privatekey -c certificate [-n length]

Let's assume to create new self-signed certificates named 'new_ht_host_rsa_key' and 'new_ht_host_rsa_key.crt'.

On Linux
STEP 1 - Generate the certificate
Execute from a command line in a terminal:

$ LD_LIBRARY_PATH=/usr/NX/lib/  /usr/NX/bin/nxkeygen -k new_ht_host_rsa_key -c new_ht_host_rsa_key.crt

STEP 2 - Edit the nxhtd configuration file
Open: /usr/NX/etc/web.cfg
and set:
SSLCertificateFile "/usr/NX/etc/keys/host/new_ht_host_rsa_key.crt"
SSLCertificateKeyFile "/usr/NX/etc/keys/host/new_ht_host_rsa_key"

STEP 3 - Update certificate permissions
Move to /usr/NX/etc/keys/host/ and execute:

 $ chown nxhtd:nxhtd new_ht_host_rsa_key 
 $ chown nxhtd:nxhtd new_ht_host_rsa_key.crt 
 $ chmod 600 new_ht_host_rsa_key 
 $ chmod 644 new_ht_host_rsa_key.crt

STEP 4 - Restart nxhtd
You can restart nxhtd from the NoMachine Server preferences UI or by command line:

$ sudo /etc/NX/nxserver --restart nxhtd

On macOS
STEP 1 - Generate the certificate
Execute in a terminal:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen  -k new_ht_host_rsa_key -c new_ht_host_rsa_key.crt

STEP 2 - Edit the nxhtd configuration file
Open: /Applications/NoMachine.app/Contents/Frameworks/etc/web.cfg
and set:
SSLCertificateFile "/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/new_ht_host_rsa_key.crt"
SSLCertificateKeyFile "/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/new_ht_host_rsa_key"

STEP 3 - Update certificate permissions
Move to /usr/NX/etc/keys/host/ and execute:

$ chown nxhtd:nxhtd new_ht_host_rsa_key 
$ chown nxhtd:nxhtd new_ht_host_rsa_key.crt 
$ chmod 600 new_ht_host_rsa_key 
$ chmod 644 new_ht_host_rsa_key.crt

STEP 4 - Restart nxhtd
You can restart nxhtd from the NoMachine Server preferences UI or by command line:

/etc/NX/nxserver --restart nxhtd

On Windows
STEP 1 - Generate the certificate
Execute in a CMD console launched as administrator:

> %PROGRAMFILES%\NoMachine\bin\nxkeygen -k new_ht_host_rsa_key -c new_ht_host_rsa_key.crt

STEP 2 - Edit the nxhtd configuration file
Open: %PROGRAMFILES%\NoMachine\etc\web.cfg
and set:
SSLCertificateFile "%PROGRAMFILES%\NoMachine\etc\keys\host\new_ht_host_rsa_key.crt"
SSLCertificateKeyFile "%PROGRAMFILES%\NoMachine\etc\keys\host\new_ht_host_rsa_key"

STEP 3 - Restart nxhtd
You can restart nxhtd from the NoMachine Server preferences UI or by command line:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --restart nxhtd

4. The RSA key pair for nxsshd

The nxsshd program is the NoMachine SSH server installed on Windows by any of the enterprise packages (NoMachine free doesn't have it). It's necessary to accept connections through the SSH protocol.

Its RSA keys are:
installation directory/etc/keys/host/ssh_host_rsa_key
installation directory/etc/keys/host/ssh_host_rsa_key.pub

How to generate a new certificate
To generate a new SSH key pair, run from the CMD console:

%PROGRAMFILES%\NoMachine\bin\nxkeygen   -k ssh_host_rsa_key -p ssh_host_rsa_key.pub

Note that the public key must be stored with the same file name of the private key but with .pub as postfix.
For example, if the new private key is new_rsa_key, the public key must be named as new_rsa_key.pub

How to use the new certificate
STEP 1- Configure nxsshd to use a different private key by editing this file:
%PROGRAMFILES%\NoMachine\etc\sshd_config

Uncomment and set te proper value for the HostKey configuration key in sshd_config:
HostKey "%PROGRAMFILES%\NoMachine\etc\keys\host\new_ssh_host_rsa_key"

STEP 2- Then, it's necessary to restart nxsshd. This can be easily done via the NoMachine Server UI.

5. The RSA key pair for the Enterprise Terminal Server Nodes

NoMachine Enterprise Terminal Server authenticates on the Enterprise Terminal Server Node with a RSA key pair. This RSA key pair is generated during the installation and its server specific. This means that if the node is added to a different server, also the RSA key pair will be different.

This key pair is made of:
/usr/NX/etc/keys/node.localhost.id_rsa
/usr/NX/etc/keys/node.localhost.id_rsa.pub

When adding the node to the server (by means of 'nxserver --nodeadd' command), the public part of the key pair is automatically added to the remote node.

The RSA key is deleted from the node when the node is removed from the list (with the 'nxserver --nodedel' command).

The 'nxserver --nodeedit NODENAME:PORT' command will add the new key (if set on the main server host) on the node, but it will not remove the old key.

To adopt a custom key pair for server-node authentication, follow all steps below. If not otherwise specified, commands are intended to be run on the Enterprise Terminal Server host.

STEP 1- Make a backup of the original RSA keys on the server machine in /usr/NX/etc/keys.

STEP 2- Generate a new RSA key pair and name the keys as node.localhost.id_rsa and node.localhost.id_rsa.pub (i.e. the new keys must have the same name of the original ones):

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa

Then ensure that proper permissions and ownership are set:

$ chmod 600 /usr/NX/etc/keys/node.localhost.id_rsa
$ chown nx:root /usr/NX/etc/keys/node.localhost.id_rsa
$ chmod 644 /usr/NX/etc/keys/node.localhost.id_rsa.pub
$ chown nx:root /usr/NX/etc/keys/node.localhost.id_rsa.pub

STEP 3- Stop the server to prevent users from starting new sessions while replacing the server public key on the nodes. This will not terminate running sessions:

$ sudo /etc/NX/nxserver --stop

STEP 4- Propagate the new RSA sever public key on the node by running:

$ sudo /etc/NX/nxserver --nodeedit NODENAME:PORT
where NODENAME:PORT is the name of the remote node as it appears in the output of the 'nxserver --nodelist' command.

The 'nxserver --nodeedit' command will not remove the old key on the node. To remove it, delete the node:

$ sudo /etc/NX/nxserver --nodedel NODENAME:PORT
and re-add it so that the new key will be automatically added:
$ sudo /etc/NX/nxserver --nodeadd NODENAME

As an alternative, it's possible to execute a manual procedure to remove the old RSA public key(*) and add the new one (**) on the remote Enterprise Terminal Server Node.

STEP 5- Only if you have two NoMachine Enterprise Terminal Server Cluster configured in a failover cluster, update the cluster configuration to synchronize the new RSA key pair. Run on the primary or on the secondary server the following command:

$ sudo /etc/NX/nxserver --clusterupdate

(*) How to manually remove the old server RSA key from the node
Removing the old server RSA keys by hand is an alternative to deleting and re-adding the node when replacing the default server-node RSA key pair.

In a particular case, i.e. if the server is unable to connect to the node while executing 'nxserver --nodedel', it's necessary to adopt this manual procedure as well. That's because the node is removed from the NoMachine db but the server key is left on the node host.

To remove the old server public key manually:
1) On the server host read the current server RSA key that is going to be replaced:

$ cat /usr/NX/etc/keys/node.localhost.id_rsa.pub 

2) On each of the node hosts remove the line containing the current server public key from the following files:
nx_home_directory/.nx/config/authorized.crt for server-node connections by NX protocol and
nx_home_directory/.ssh/authorized_keys2 for server-node connections by SSH protocol.

(**) How to add the new RSA public key (node.localhost.id_rsa.pub) on the remote node
To add a RSA public key on node, you can run the following command on the node host:

$ sudo /etc/NX/nxserver --keyadd public_key_file
where public_key_file is path to the new node.localhost.id_rsa.pub key.

This will add the key to the authorized.crt file if server-node protocol is NX or to the authorized keys file if server-node protocol is SSH.

Alternatively, the RSA server public key can be manually added to the proper files:
nx_home_directory/.nx/config/authorized.crt if server-node protocol is NX and
nx_home_directory/.ssh/authorized_keys2 if server-node protocol is SSH

'authorized_keys2' is the standard name used in the SSHD configuration, replace it with the appropriate name if your SSHD has custom settings.

6. The RSA Key Pair and the SSL certificate for the Failover Cluster

The failover cluster uses (i) a SSH key pair to authenticate each other the primary and secondary server and (ii) a SSL certificate on the shared IP to avoid users having to accept again the server host fingerprint when the failover occurs.

This applies to Enterprise Cloud Server Cluster servers and to Enterprise Terminal Server Cluster servers.

(i) How to generate and use a new SSH key pair for the primary-secondary server authentication

You can generate a new SSH key pair on the primary server host. Name the new keys as the original ones. The general form of the command is:

installation directory/bin/nxkeygen -k installation directory/etc/keys/cluster.id_rsa -p installation directory/etc/keys/cluster.id_rsa.pub -t rsa

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen  -k /usr/NX/etc/keys/cluster.id_rsa -p /usr/NX/etc/keys/cluster.id_rsa.pub -t rsa

On macOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/  /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k  /Applications/NoMachine.app/Contents/Frameworks/etc/keys/cluster.id_rsa -p  /Applications/NoMachine.app/Contents/Frameworks/etc/keys/cluster.id_rsa.pub -t rsa

On Windows:

> %PROGRAMFILES%\NoMachine\bin\nxkeygen -k %PROGRAMFILES%\NoMachine\etc\keys\cluster.id_rsa -p   %PROGRAMFILES%\NoMachine\etc\keys\cluster.id_rsa.pub -t rsa

Then ensure that the new keys have proper permissions and ownership. For example on Linux:

chmod 600 /usr/NX/etc/keys/cluster.id_rsa
chown nx:root /usr/NX/etc/keys/cluster.id_rsa
chmod 644 /usr/NX/etc/keys/cluster.id_rsa.pub
chown nx:root /usr/NX/etc/keys/cluster.id_rsa.pub

How to use the new key-pair
Propagate the new key to the secondary server by running on the primary server the following command.

On Linux and macOS:

$ sudo /etc/NX/nxserver --clusterupdate

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --clusterupdate

(ii) How to generate and use a new SSL certificate and private key on cluster shared IP

The SSL certificate used for connections by NX protocol when the failover cluster is set-up is made of:

<installation directory>/etc/keys/host/nx_cluster_rsa_key
<installation directory>/etc/keys/host/nx_cluster_rsa_key.crt

To generate a new certificate and key, the general format of the command is:

installation directorybin/nxkeygen -k privatekey -c certificate [-n length]

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen  -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt -n 4096

On macOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/  /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k  nx_cluster_rsa_key -c nx_cluster_rsa_key.crt -n 4096

On Windows:

> %PROGRAMFILES%\NoMachine\bin\nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt -n 4096

Then ensure that the new keys have proper permissions and ownership, as the original ones. On Linux they should look like:

-rw------- 1 nx root 1675 2013-11-18 12:18 nx_cluster_rsa_key
-rw-r--r-- 1 nx root 1090 2013-11-18 12:18 nx_cluster_rsa_key.crt

and on macOS:

-rw------- 1 nx wheel 1679 Apr 8 16:21 nx_cluster_rsa_key
-rw-r--r-- 1 nx wheel 1090 Apr 8 16:21 nx_cluster_rsa_key.crt

How to use the new certificate
Propagate the new certificate to the secondary server by running on the primary server the following command.

On Linux and macOS:

$ sudo /etc/NX/nxserver --clusterupdate

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --clusterupdate

7. The RSA key pair for the Cloud Server's Nodes

A Cloud Server authenticates to any of nodes with a RSA key pair. This RSA key pair is generated during the installation and it's node specific. This means that if the NoMachine server is added as a node to a different Cloud Server, also the RSA key pair will be different. It works in a similar way also for the 'inverse connection', from node to Cloud Server.

The key pair is made of:
installation directory/etc/keys/node.localhost.id_rsa
installation directory/etc/keys/node.localhost.id_rsa.pub

When adding a node to the Cloud Server with both the direct connection (from Cloud Server to node) or the inverse connection (from node to Cloud Server), the public part of the key pair is automatically added to the remote server host.

The RSA key is deleted from the remote host when the node is removed from the multi-node environment.

The 'nxserver --nodeedit NODE_UUID' command will add the new key (if set on the Cloud Server host) on the server, but it will not remove the old key.

To adopt a custom key pair for the authentication, follow steps below.

Create the new RSA key pair

STEP 1- Make a backup of the original RSA keys on the Cloud Server machine in installation directory/etc/keys.

In case of inverse connection, execute the following command on the node.

STEP 2- Generate a RSA key pair and name keys as node.localhost.id_rsa and node.localhost.id_rsa.

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen  -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa

On macOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/  /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k  /Applications/NoMachine.app/Contents/Frameworks/etc/keys/node.localhost.id_rsa -p /Applications/NoMachine.app/Contents/Frameworks/etc/keys/node.localhost.id_rsa.pub -t rsa

On Windows:

> %PROGRAMFILES%\NoMachine\bin\nxkeygen -k %PROGRAMFILES%\NoMachine\etc\keys\node.localhost.id_rsa -p %PROGRAMFILES%\NoMachine\etc\keys\node.localhost.id_rsa.pub -t rsa

Ensure also that the new keys have proper permissions and ownership, as the original ones.

Add the Cloud Server's public key to the node

Instructions apply to Cloud Server and its first-level nodes. If the Cloud Server is a sub-level server, be sure to execute instructions on its host and not on the main Cloud Server.

STEP 1- Stop the Cloud Server to prevent users from starting new sessions while replacing the server public key on its nodes. This will not terminate running sessions.

On Linux and macOS:

$ sudo /etc/NX/nxserver --stop

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --stop

STEP 2- Place the new RSA key pair in the same directory, installation directory/etc/keys.

STEP 3- Propagate the new RSA sever public key on the node by executing on the Cloud Server host

on Linux and macOS:

$ sudo /etc/NX/nxserver --nodeedit NODE_UUID
where NODE_UUID is the uuid of the node as it appears in the output of the 'nxserver --nodelist' command.

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --nodeedit NODE_UUID

Note that this command will not remove the old key on the node. To remove it, delete and re-add the node.

On Linux and macOS:

$ sudo /etc/NX/nxserver --nodedel NODE_UUID
$ sudo /etc/NX/nxserver --nodeadd  NODE_IP --node-name NODENAME

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe  --nodedel NODE_UUID
> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe --nodeadd  NODE_IP --node-name NODENAME

As an alternative, it's possible to execute a manual procedure to remove the old RSA public key (*) and add the new one (**) on the node.

STEP 4- Only if you have two Enterprise Cloud Server Cluster configured in a failover cluster, update the cluster configuration to synchronize the new RSA key pair. Run on the primary or on the secondary server the following command.

On Linux and macOS:

$ sudo /etc/NX/nxserver --clusterupdate

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe   --clusterupdate

*) How to manually remove the old server RSA key from the node host
1) On the Cloud Server host read the current server RSA key that is going to be replaced:

cat installation_directory/etc/keys/node.localhost.id_rsa.pub

2) On each of the nodes remove the line containing the current server public key from the following files:
nx_home_directory/.nx/config/authorized.crt for server-to-server connections by NX protocol and
nx_home_directory/.ssh/authorized_keys2 for server-to-server connections by SSH protocol.

'authorized_keys2' is the standard name used in the SSHD configuration, replace it with the appropriate name if your SSHD has custom settings.

nx_home_directory is:
/var/NX/nx/ on Linux
/Library/Application\ Support/NoMachine/var/nx/ on macOS
Users\nx\ on Windows

(**) How to add the new RSA public key (node.localhost.id_rsa.pub) on the node
To add a RSA public key on the node, you can run the 'nxserver --keyadd' command on the node, for example on Linux and macOS:

/etc/NX/nxserver --keyadd public_key_file

This will add the key to the authorized.crt file if server-to-server protocol is NX or to the authorized keys file if server-to-server protocol is SSH.

Alternatively, the RSA server public key can be manually added to the proper files:
nx_home_directory/.nx/config/authorized.crt if protocol is NX and
nx_home_directory/.ssh/authorized_keys2 if protocol is SSH.

'authorized_keys2' is the standard name used in the SSHD configuration, replace it with the appropriate name if your SSHD has custom settings.

nx_home_directory is:
/var/NX/nx/ on Linux
/Library/Application\ Support/NoMachine/var/nx/ on macOS
Users\nx\ on Windows

Add the node's public key to the Cloud Server (Inverse connection)

To add the key from the node to the Cloud Server:

Step 1 - Get /usr/NX/etc/keys/node.localhost.id_rsa.pub from node and copy it to the Cloud Server host.

Step 2- If node-to-server protocol is NX, execute the following command on the Cloud Server host.

On Linux and macOS:

$ sudo /etc/NX/nxserver --keyadd path_to_node.localhost.id_rsa.pub

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe   --keyadd path_to_node.localhost.id_rsa.pub

This will add the key to the nx_home_directory/.nx/config/authorized.crt file.

nx_home_directory is:
/var/NX/nx/ on Linux
/Library/Application\ Support/NoMachine/var/nx/ on macOS
Users\nx\ on Windows

Otherwise, if node-to-server protocol is SSH execute the following command on the Cloud Server host.

On Linux and macOS:

$ sudo /etc/NX/nxserver --keyadd path_to_node.localhost.id_rsa.pub --protocol SSH 

On Windows:

> %ALLUSERSPROFILE%\NoMachine\nxserver\nxserver.exe   --keyadd path_to_node.localhost.id_rsa.pub  --protocol SSH 

This will add the key to the authorized keys file in nx_home_directory/.ssh where nx_home_directory is:
/var/NX/nx/ on Linux
/Library/Application\ Support/NoMachine/var/nx/ on macOS
Users\nx\ on Windows