HTTPS with a Signed Certificate
Use HTTPS with a signed certificate.
By default the server uses a self-signed
certificate for a secure HTTP connection. TLS versions 1.2 and 1.3
are supported.
If you want to use your own server certificate (X.509 certificates),
it is recommended to replace
`/usr/local/demisto/cert.key`
with
the private key and
`/usr/local/demisto/cert.pem`
with
the certificate. To create your own certificate and key, see
Create a Private Key and Certificate Signing Request (CSR).
For the certificate PEM file, you must concatenate the certificate
chain one after the other in the file. The SSL certificate should
come first.
If you are using an intermediate certificate, the order is:
If you are not using an intermediate certificate, the order is:
Only the certificate itself is needed, i.e., the text between
and including
"-----BEGIN CERTIFICATE-----"
and
"-----END
CERTIFICATE-----"
.
You can store the key and certificate in a different location,
by changing the
/etc/demisto.conf
file and
adding the locations below:
{
"Security":{
"CertFile":"",
"KeyFile":""
}
}
Ensure both files have the correct ownership: demisto:demisto
If your private key is encrypted, you need to add the key password
to the one-time-configuration (OTC) file located in
/var/lib/demisto/otc.conf.json
.
After the file is saved and the Cortex XSOAR server is restarted,
the OTC file is automatically deleted. Add the following content
to the OTC file.
In a live backup setup environment, you need to stop both servers
and update the certificates on both servers before bringing them
back up.
{"keypass":"certpassword"}
Cortex XSOAR server does not support PKCS#8 encrypted PEM files.To
validate that the file is supported, check that the "DEK-Info" header exists.
When using a Safari browser, the self-signed
certificate must be added to the OS Keychain.
