Create a Private Key and Certificate Signing Request (CSR) - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a private key and certificate signing request in Cortex XSOAR. You can also troubleshoot key and certificate issues.

For security reasons, the default certificate for a production environment must be replaced with your private key and a certificate from a CA (Certificate Authority). For development environments, you have the option of using a self-signed certificate or a certificate from a CA (Certificate Authority).

Note

While the example below is generic, you might need to create your certificates and keys with different parameters, according to your internal company policies or compliance with regulations.

Create a Private Key and CSR

The following example is one way to create a private key and certificate signing request (CSR) on a Linux based system. The procedure may be slightly different between Linux releases, operating system versions, and OpenSSL versions. Our example uses Centos 7.

To replace the default internal certificate with a private key and a certificate from a CA (Certificate Authority):

  1. Stop the Cortex XSOAR server.

    sudo service demisto stop

  2. In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:

    • For Ubuntu and Debian: sudo apt install openssl

    • For Centos and Fedora: sudo yum install openssl

  3. Generate the private key and the certificate signing request by running the following command.

    openssl req -newkey rsa:4096 -sha256 -out example.csr -keyout example.key

    Flag

    Description

    -newkey rsa:4096

    Creates a new certificate request and a 4096 bit RSA key. The default RSA key is 2048 bits.

    -sha256

    Uses 265-bit SHA (Secure Hash Algorithm).

    -out example.csr

    Specifies the file name for the newly created certificate signing request. You can specify any file name.

    -keyout example.key

    Specifies the file name for the newly created private key. You can specify any file name.

    Note

    If you prefer to create a key without a passphrase, add the -nodes flag.

  4. Follow the on-screen instructions.

    The CSR is sent to the certificate signing authority. The CA (certificate authority) sends the certificate by email in different formats. For example, example.crt.

  5. Replace the existing default internal certificate in /usr/local/demisto/cert.pem and key in /usr/local/demisto/cert.key with the newly generated private certificate and key.

    For example:

    Copy the certificate (example.crt) to /usr/local/demisto: cp example.crt /usr/local/demisto/cert.pem

    Copy the key (example.key) to /usr/local/demisto: cp example.key /usr/local/demisto/cert.key

  6. If you store the certificate and key in a folder other than /usr/local/demisto, you must edit the /etc/demisto.conf file and add the locations below:

    {  
      "Security":{  
        "CertFile":"",       
          "KeyFile":""   
      }
    }

    Check both files have the correct ownership: demisto:demisto.

  7. Restart the Cortex XSOAR server.

    sudo service demisto start

Create a Self-Signed Certificate

To create a self-signed certificate:

  1. In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:

    • For Ubuntu and Debian: sudo apt install openssl

    • For Centos and Fedora: sudo yum install openssl

  2. Generate the private key and the certificate:

    openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key

    Note

    If you prefer to create a key without a passphrase, add the -nodes flag.

    Flag

    Description

    -newkey rsa:4096

    Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.

    -x509

    Creates a X.509 certificate.

    -sha256

    Uses 265-bit SHA (Secure Hash Algorithm).

    -days 3650

    The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.

    -out example.csr

    Specifies the file name for the newly created certificate signing request. You can specify any file name.

    -keyout example.key

    Specifies the file name for the newly created private key. You can specify any file name.

  3. Replace the existing default internal certificate in /usr/local/demisto/cert.pem and key in /usr/local/demisto/cert.key with the newly generated private certificate and key.

    For example:

    Copy the certificate (example.crt) to /usr/local/demisto: cp example.crt /usr/local/demisto/cert.pem

    Copy the key (example.key) to /usr/local/demisto: cp example.key /usr/local/demisto/cert.key

  4. (Optional) Add the certificate to your trusted certificate store.

    • For Ubuntu: Copy the certificate (.crt) file to: /usr/local/share/ca-certificates/ using the command: sudo update-ca-certificates.

    • For Centos: Run the yum install ca-certificates command and then copy the certificate (.crt) file to: /etc/pki/ca-trust/source/anchors/ using the command: update-ca-trust extract.

    Ensure that the (.crt) file permissions is: 644

    When running in a distributed database environment, in the application server add the database certificates as trusted.

    In a Red Hat operating system, make sure the certificate was appended in the file /etc/pki/tls/certs/ca-bundle.crt

  5. Restart the Cortex XSOAR server.

    sudo service demisto start

Troubleshoot Creating a Private Key and CSR

After the newly generated certificate key pair is copied to /usr/local/demisto, if the browser does not show the new certificate, do one or more of the following:

  • Check whether the FQDN specified in the certificate is the same as the FQDN of the Cortex XSOAR server.

  • Check whether there are any other certificates or keys in /usr/local/demisto, other than the ones generated recently for the Cortex XSOAR server. If so, remove or move them to another folder on the server.

  • On your browser on which you are trying to load Cortex XSOAR, clear cookies and other data.

  • If the Cortex XSOAR server is behind a load balancer, re-upload the certificate on the load balancer. For example, if the Cortex XSOAR server is behind the ELB (Elastic Load Balancing), re-import the certificate on ELB (Elastic Load Balancing) on the Amazon Certificate Manager AWS console.

  • Confirm the demisto.conf file contains the following keys:

    {  
      "Security":{  
        "CertFile":"",       
          "KeyFile":""   
      }
    }