Create a Private Key and Certificate Signing Request (CSR)
Create a private key and certificate signing request
in Cortex XSOAR. Troubleshooting key and certificate issues.
For security reasons, the default certificate
for a production environment must be replaced with your private
key and a certificate from a CA (Certificate Authority). For development
environments, you have the option of using a self-signed certificate
or a certificate from a CA (Certificate Authority).
Create a Private Key and CSR
To replace the default internal certificate
with a private key and a certificate from a CA (Certificate Authority):
- Stop the Cortex XSOAR server.sudo service demisto stop
- In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
- For Ubuntu and Debian:sudo apt install openssl
- For Centos and Fedora:sudo yum install openssl
- Generate the private key and the certificate signing request by running the following command.openssl req -newkey rsa:4096 -sha256 -days 3650 -out example.csr -keyout example.keyFlagDescription-newkey rsa:4096Creates a new certificate request and a 4096 bit RSA key. The default RSA key is 2048 bits.-sha256Uses 265-bit SHA (Secure Hash Algorithm).-days 3650The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.-out example.csrSpecifies the file name for the newly created certificate signing request. You can specify any file name.-keyout example.keySpecifies the file name for the newly created private key. You can specify any file name.If you prefer to create a key without a passphrase, add the following flag-nodes
- Follow the on-screen instructions.The CSR is sent to the certificate signing authority. The CA (certificate authority) sends the certificate by email in different formats. For example, example.crt.
- Replace the existing default internal certificate in/usr/local/demisto/cert.pemand key in/usr/local/demisto/cert.keywith the newly generated private certificate and key.For example:Copy the certificate (example.crt) to /usr/local/demisto:cp example.crt /usr/local/demisto/cert.pemCopy the key (example.key) to /usr/local/demisto:cp example.key /usr/local/demisto/cert.key
- Restart the Cortex XSOAR server.sudo service demisto startKeep the certificate and key in a place other than/usr/local/demisto.
Create a Self-Signed Certificate
To create a self-signed certificate:
- In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
- For Ubuntu and Debian:sudo apt install openssl
- For Centos and Fedora:sudo yum install openssl
- Generate the private key and the certificate:ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m pemIf you are not using a passphrase protected key, you can instead generate the private key and certificate using openssl:openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.csr -keyout example.keyFlagDescription-newkey rsa:4096Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.-x509Creates a X.509 certificate.-sha256Uses 265-bit SHA (Secure Hash Algorithm).-days 3650The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.-out example.csrSpecifies the file name for the newly created certificate signing request. You can specify any file name.-keyout example.keySpecifies the file name for the newly created private key. You can specify any file name.If you prefer to create a key without a passphrase, add the following flag-nodes
- Replace the existing default internal certificate in/usr/local/demisto/cert.pemand key in/usr/local/demisto/cert.keywith the newly generated private certificate and key.For example:Copy the certificate (example.crt) to /usr/local/demisto:cp example.crt /usr/local/demisto/cert.pemCopy the key (example.key) to /usr/local/demisto:cp example.key /usr/local/demisto/cert.key
- (Optional) Add the certificate to your trusted certificate store.
- For Ubuntu: Copy the certificate (.crt) file to:/usr/local/share/ca-certificates/using the command:sudo update-ca-certificates.
- For Centos: Run theyum install ca-certificatescommand and then copy the certificate (.crt) file to:/etc/pki/ca-trust/source/anchors/using the command:update-ca-trust extract.
Ensure that the (.crt) file permissions is: 644When running in a distributed database environment, in the application server add the database certificates as trusted.In a Red Hat operating system, make sure the certificate was appended in the file/etc/pki/tls/certs/ca-bundle.crt - Restart the Cortex XSOAR server.sudo service demisto startKeep the certificate and key in a place other than/usr/local/demisto.
Troubleshoot Creating a Private Key and CSR
After the newly generated certificate key pair is copied
to
/usr/local/demisto
, if the browser does
not show the new certificate, do one or more of the following:- Check whether the FQDN specified in the certificate is the same as the FQDN of the Cortex XSOAR server.
- Check whether there are any other certificates or keys in/usr/local/demisto, other than the ones generated recently for the Cortex XSOAR server. If so, remove or move them to another folder on the server.
- On your browser on which you are trying to load Cortex XSOAR, clear cookies and other data. For example, in Chrome, go to.SettingsAdvancedClear Browsing dataClear data
- If the Cortex XSOAR server is behind a load balancer, re-upload the certificate on the load balancer. For example, if the Cortex XSOAR server is behind the ELB (Elastic Load Balancing), re-import the certificate on ELB (Elastic Load Balancing) on the Amazon Certificate Manager AWS console.
Recommended For You
Recommended Videos
Recommended videos not found.
