Secure Server Setup

The bx cert-new and cert-public commands can be used to generate certificates. The certificates (keys) are presented as Z85 encoded text strings. The public key can be derived from its private key.

When a private key is configured the server automatically exposes secure endpoints for each service that is enabled. When a client connects using the server's public key the server's identity is confirmed to the client and the communication is encrypted. The server's unsecured endpoints can be disabled by setting server.secure_only = true.

Generate the private key as follows:

$ bx cert-new
A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@

Keep the private key secret and replace if it is ever compromised. To enable client-server encryption and server identity, add the private key to the bs configuration as follows:

[server]
server_private_key = A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@

Publish the corresponding public key for use by clients. The public key is generated as follows:

$ bx cert-public "A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@"
2!{^*kaa:gU]z2/Jy/4N5h2o=F[WE=2V0gi(Btqo

The public key can be placed into the bx configuration in the server.server_public_key setting. The bx server.url configuration setting port value will determine whether bx connects to the secure query endpoint or the public query endpoint.

See also restricted clients setup.