Managing the TLS certificate

Amazon DCV automatically generates a self-signed certificate that's used to secure traffic between the Amazon DCV client and Amazon DCV server. By default, if no other certificate is installed, this certificate is used. The default certificate includes two files. They are the certificate itself (dcv.pem) and a key (dcv.key). For more information, please see Redirection clarifications with self-signed certificates.

When DCV client users connect to a server, they might receive server certificate warnings that they can act on to verify, before the connection is established.

If they are using a web browser to connect, the browser might warn client users about trusting the server's certificate and that they should contact the administrator to confirm the certificate authenticity.

Similarly, if they are using a Windows, Linux or macOS client, they might be advised to confirm a given certificate's fingerprint with the Amazon DCV server administrator.

To verify the authenticity of their certificate fingerprints, run dcv list-endpoints -j and check the output against their certificate fingerprints.

You can replace the default Amazon DCV certificate and its key with your own certificate and key.

When you generate your own certificate, select the certificate attributes that meet your specific needs. The CN (Common Name) attribute in most cases must match the public hostname of the host. You also might want to specify the SAN (Subject Alternative Name) attribute and set it to the IP address of the host.

For instructions on how to generate a certificate, see the documentation of your specific Certification Authority.