Create a Self-Signed Certificate - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-04-15
End_of_Life
EoL
Category
Administrator Guide

We recommend using a self-signed certificate only for development environments. For production environments, see Install or Renew a Custom Certificate.

Create the certificate

  1. In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:

    • For Ubuntu: sudo apt install openssl

    • For Centos and Fedora: sudo yum install openssl

  2. Generate the private key and the certificate:

    openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.crt -keyout example.key

    Note

    If you prefer to create a key without a passphrase, add the -nodes flag.

    Flag

    Description

    -newkey rsa:4096

    Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.

    -x509

    Creates a X.509 certificate.

    -sha256

    Uses 265-bit SHA (Secure Hash Algorithm).

    -days 3650

    The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.

    -out example.csr

    Specifies the file name for the newly created certificate signing request. You can specify any file name.

    -keyout example.key

    Specifies the file name for the newly created private key. You can specify any file name.

Apply the Certificate

  1. Stop the Cortex XSOAR server.

    sudo service demisto stop

    Note

    In a live backup setup environment, you need to stop both servers and update the certificates on both servers before bringing them back up.

  2. Replace the existing default internal certificate in /usr/local/demisto/cert.pem and key in /usr/local/demisto/cert.key with the newly generated private certificate and key.

    For example:

    Copy the certificate (example.crt) to /usr/local/demisto: cp example.crt /usr/local/demisto/cert.pem

    Copy the key (example.key) to /usr/local/demisto: cp example.key /usr/local/demisto/cert.key

  3. (Optional) Add the certificate to your trusted certificate store.

    • For Ubuntu: Copy the certificate (.crt) file to: /usr/local/share/ca-certificates/ using the command: sudo update-ca-certificates.

    • For Centos: Run the yum install ca-certificates command and then copy the certificate (.crt) file to: /etc/pki/ca-trust/source/anchors/ using the command: update-ca-trust extract.

    Ensure that the (.crt) file permissions is: 644

    When running in a distributed database environment, in the application server add the database certificates as trusted.

    In a Red Hat operating system, make sure the certificate was appended in the file /etc/pki/tls/certs/ca-bundle.crt

  4. Restart the Cortex XSOAR server.

    sudo service demisto start