We recommend using a self-signed certificate only for development environments. For production environments, see Install or Renew a Custom Certificate.
Create the certificate
In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
For Ubuntu:
sudo apt install openssl
For Fedora:
sudo yum install openssl
Generate the private key and the certificate:
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key
Note
If you prefer to create a key without a passphrase, add the
-nodes
flag.Flag
Description
-newkey rsa:4096
Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.
-x509
Creates a X.509 certificate.
-sha256
Uses 265-bit SHA (Secure Hash Algorithm).
-days 3650
The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.
-out example.csr
Specifies the file name for the newly created certificate signing request. You can specify any file name.
-keyout example.key
Specifies the file name for the newly created private key. You can specify any file name.
Apply the Certificate
Stop the Cortex XSOAR server.
sudo service demisto stop
Note
In a live backup setup environment, you need to stop both servers and update the certificates on both servers before bringing them back up.
Replace the existing default internal certificate in
/usr/local/demisto/cert.pem
and key in/usr/local/demisto/cert.key
with the newly generated private certificate and key.For example:
Copy the certificate (example.crt) to /usr/local/demisto:
cp example.crt /usr/local/demisto/cert.pem
Copy the key (example.key) to /usr/local/demisto:
cp example.key /usr/local/demisto/cert.key
(Optional) Add the certificate to your trusted certificate store.
For Ubuntu: Copy the certificate (.crt) file to:
/usr/local/share/ca-certificates/
using the command:sudo update-ca-certificates
.Ensure that the (.crt) file permissions is: 644
When running in a distributed database environment, in the application server add the database certificates as trusted.
In a Red Hat operating system, make sure the certificate was appended in the file
/etc/pki/tls/certs/ca-bundle.crt
Restart the Cortex XSOAR server.
sudo service demisto start