Create a private key and certificate signing request in Cortex XSOAR. You can also troubleshoot key and certificate issues.
For security reasons, the default certificate for a production environment must be replaced with your private key and a certificate from a CA (Certificate Authority). For development environments, you have the option of using a self-signed certificate or a certificate from a CA (Certificate Authority).
Note
While the example below is generic, you might need to create your certificates and keys with different parameters, according to your internal company policies or compliance with regulations.
Create a Private Key and CSR
The following example is one way to create a private key and certificate signing request (CSR) on a Linux based system. The procedure may be slightly different between Linux releases, operating system versions, and OpenSSL versions. Our example uses Centos 7.
To replace the default internal certificate with a private key and a certificate from a CA (Certificate Authority):
Stop the Cortex XSOAR server.
sudo service demisto stop
In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
For Ubuntu and Debian:
sudo apt install openssl
For Centos and Fedora:
sudo yum install openssl
Generate the private key and the certificate signing request by running the following command.
openssl req -newkey rsa:4096 -sha256 -out example.csr -keyout example.key
Flag
Description
-newkey rsa:4096
Creates a new certificate request and a 4096 bit RSA key. The default RSA key is 2048 bits.
-sha256
Uses 265-bit SHA (Secure Hash Algorithm).
-out example.csr
Specifies the file name for the newly created certificate signing request. You can specify any file name.
-keyout example.key
Specifies the file name for the newly created private key. You can specify any file name.
Note
If you prefer to create a key without a passphrase, add the
-nodes
flag.Follow the on-screen instructions.
The CSR is sent to the certificate signing authority. The CA (certificate authority) sends the certificate by email in different formats. For example, example.crt.
Replace the existing default internal certificate in
/usr/local/demisto/cert.pem
and key in/usr/local/demisto/cert.key
with the newly generated private certificate and key.For example:
Copy the certificate (example.crt) to /usr/local/demisto:
cp example.crt /usr/local/demisto/cert.pem
Copy the key (example.key) to /usr/local/demisto:
cp example.key /usr/local/demisto/cert.key
If you store the certificate and key in a folder other than
/usr/local/demisto
, you must edit the/etc/demisto.conf
file and add the locations below:{ "Security":{ "CertFile":"", "KeyFile":"" } }
Check both files have the correct ownership:
demisto:demisto
.Restart the Cortex XSOAR server.
sudo service demisto start
Create a Self-Signed Certificate
To create a self-signed certificate:
In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
For Ubuntu and Debian:
sudo apt install openssl
For Centos and Fedora:
sudo yum install openssl
Generate the private key and the certificate:
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key
Note
If you prefer to create a key without a passphrase, add the
-nodes
flag.Flag
Description
-newkey rsa:4096
Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.
-x509
Creates a X.509 certificate.
-sha256
Uses 265-bit SHA (Secure Hash Algorithm).
-days 3650
The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.
-out example.csr
Specifies the file name for the newly created certificate signing request. You can specify any file name.
-keyout example.key
Specifies the file name for the newly created private key. You can specify any file name.
Replace the existing default internal certificate in
/usr/local/demisto/cert.pem
and key in/usr/local/demisto/cert.key
with the newly generated private certificate and key.For example:
Copy the certificate (example.crt) to /usr/local/demisto:
cp example.crt /usr/local/demisto/cert.pem
Copy the key (example.key) to /usr/local/demisto:
cp example.key /usr/local/demisto/cert.key
(Optional) Add the certificate to your trusted certificate store.
For Ubuntu: Copy the certificate (.crt) file to:
/usr/local/share/ca-certificates/
using the command:sudo update-ca-certificates
.For Centos: Run the
yum install ca-certificates
command and then copy the certificate (.crt) file to:/etc/pki/ca-trust/source/anchors/
using the command:update-ca-trust extract
.
Ensure that the (.crt) file permissions is: 644
When running in a distributed database environment, in the application server add the database certificates as trusted.
In a Red Hat operating system, make sure the certificate was appended in the file
/etc/pki/tls/certs/ca-bundle.crt
Restart the Cortex XSOAR server.
sudo service demisto start
Troubleshoot Creating a Private Key and CSR
After the newly generated certificate key pair is copied to /usr/local/demisto
, if the browser does not show the new certificate, do one or more of the following:
Check whether the FQDN specified in the certificate is the same as the FQDN of the Cortex XSOAR server.
Check whether there are any other certificates or keys in
/usr/local/demisto
, other than the ones generated recently for the Cortex XSOAR server. If so, remove or move them to another folder on the server.On your browser on which you are trying to load Cortex XSOAR, clear cookies and other data.
If the Cortex XSOAR server is behind a load balancer, re-upload the certificate on the load balancer. For example, if the Cortex XSOAR server is behind the ELB (Elastic Load Balancing), re-import the certificate on ELB (Elastic Load Balancing) on the Amazon Certificate Manager AWS console.
Confirm the demisto.conf file contains the following keys:
{ "Security":{ "CertFile":"", "KeyFile":"" } }