HTTPS with a Signed Certificate - Administrator Guide - EoL - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

Use HTTPS with a signed certificate in Cortex XSOAR. Certificate PEM file.

By default the server uses a self-signed certificate for a secure HTTP connection. TLS versions 1.2 and 1.3 are supported.

If you want to use your own server certificate (X.509 certificates), it is recommended to replace `/usr/local/demisto/cert.key` with the private key and `/usr/local/demisto/cert.pem` with the certificate. To create your own certificate and key, see Create a Private Key and Certificate Signing Request (CSR).

For the certificate PEM file, you must concatenate the certificate chain one after the other in the file. The SSL certificate should come first.

If you are using an intermediate certificate, the order is:

  1. SSL certificate

  2. Intermediate certificate

  3. CA certificate

If you are not using an intermediate certificate, the order is:

  1. SSL Certificate

  2. CA Certificate

Only the certificate itself is needed, i.e., the text between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

You can store the key and certificate in a different location, by changing the /etc/demisto.conf file and adding the locations below:


Ensure both files have the correct ownership: demisto:demisto

If your private key is encrypted, you need to add the key password to the one-time-configuration (OTC) file located in /var/lib/demisto/otc.conf.json. After the file is saved and the Cortex XSOAR server is restarted, the OTC file is automatically deleted. Add the following content to the OTC file: {"keypass":"certpassword"}.

In a live backup setup environment, you need to stop both servers and update the certificates on both servers before bringing them back up.



Cortex XSOAR server does not support PKCS#8 encrypted PEM files. To validate that the file is in a format that is supported, view the encrypted .key file (you can use one of the following commands - vi / less / cat) and check that the "DEK-Info" header exists.

A certificate with the DEK-Info header begins with the following:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,B94C43E0E49D267EB3AA84DC19EB41ED

If the DEK-Info header is not similar to the example above, the file is likely in the wrong format (PKCS#8).

You can convert the .key file to the proper format by running the following command:

openssl rsa -in oldcert.key -out cert.key -aes256


You don't have to use aes256, you can use des3 or whichever encryption method you prefer.

After you run this command, view the .key file and verify that the DEK-Info header is similar to the example above. This should allow the .key file to be read.


When using a Safari browser, the self-signed certificate must be added to the OS Keychain.