Secure Server Setup

The bx cert-new and cert-public commands can be used to generate certificates. The certificates are presented as Z85 encoded text strings. The public key certificate can be derived from its private key certificate.

When a private key is configured the server automatically exposes secure ports for each service that is enabled. When a client connects using the server's public key the server's identity is confirmed to the client and the communication is encrypted.

Generate the private key as follows:

$ bx cert-new
A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@

Keep the private key secret and replace if it is ever compromised. To enable client-server encryption and server identity, add the private key to the bs configuration as follows:

[server]
server_private_key = A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@

Publish the corresponding public key for use by clients. The public key is generated as follows:

$ bx cert-public "A6hgo]R8<48/xB3yfd5x]mt-a9u/*P^j$$K)SBR@"
2!{^*kaa:gU]z2/Jy/4N5h2o=F[WE=2V0gi(Btqo

The public key can be placed into the bx configuration as follows:

[server]
server_public_key = 2!{^*kaa:gU]z2/Jy/4N5h2o=F[WE=2V0gi(Btqo

All server endpoints have secure versions on distinct ports, assuming that the endpoints are enabled and the server.server_private_key setting is configured.

The bx server.url configuration setting port value will determine whether bx connects to the secure query endpoint or the public query endpoint. The secure and public ports are configurable at the server as well.