Create a Private Key and Certificate Signing Request (CSR)

Create a private key and certificate signing request in Cortex XSOAR. Troubleshooting key and certificate issues.
For security reasons, the default certificate for a production environment must be replaced with your private key and a certificate from a CA (Certificate Authority). For development environments, you have the option of using a self-signed certificate or a certificate from a CA (Certificate Authority).

Create a Private Key and CSR

To replace the default internal certificate with a private key and a certificate from a CA (Certificate Authority):
  1. In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
    • For Ubuntu and Debian:
      sudo apt install openssl
    • For Centos and Fedora:
      sudo yum install openssl
  2. Generate the private key and the certificate signing request by running the following command.
    openssl req -newkey rsa:4096 -sha256 -days 3650 -out example.csr -keyout example.key
    Flag
    Description
    -newkey rsa:4096
    Creates a new certificate request and a 4096 bit RSA key. The default RSA key is 2048 bits.
    -sha256
    Uses 265-bit SHA (Secure Hash Algorithm).
    -days 3650
    The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.
    -out example.csr
    Specifies the file name for the newly created certificate signing request. You can specify any file name.
    -keyout example.key
    Specifies the file name for the newly created private key. You can specify any file name.
    If you prefer to create a key without a passphrase, add the following flag
    -nodes
  3. Follow the on-screen instructions.
    The CSR is sent to the certificate signing authority. The CA (certificate authority) sends the certificate by email in different formats. For example, example.crt.
  4. Replace the existing default internal certificate in
    /usr/local/demisto/cert.pem
    and key in
    /usr/local/demisto/cert.key
    with the newly generated private certificate and key.
    For example:
    Copy the certificate (example.crt) to /usr/local/demisto:
    cp example.crt /usr/local/demisto/cert.pem
    Copy the key (example.key) to /usr/local/demisto:
    cp example.key /usr/local/demisto/cert.key
  5. Restart the Cortex XSOAR server.
    sudo service demisto start
    Keep the certificate and key in a place other than
    /usr/local/demisto
    .

Create a Self-Signed Certificate

To create a self-signed certificate:
  1. In an SSH session to the Cortex XSOAR server, install OpenSSL by running the following command:
    • For Ubuntu and Debian:
      sudo apt install openssl
    • For Centos and Fedora:
      sudo yum install openssl
  2. Generate the private key and the certificate:
    ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m pem
    If you are not using a passphrase protected key, you can instead generate the private key and certificate using openssl:
    openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -out example.csr -keyout example.key
    Flag
    Description
    -newkey rsa:4096
    Generates a 4096-bit RSA new private key. The default RSA key is 2048 bits.
    -x509
    Creates a X.509 certificate.
    -sha256
    Uses 265-bit SHA (Secure Hash Algorithm).
    -days 3650
    The number of days for which to certify the certificate. 3650 is ten years. You can use any positive integer.
    -out example.csr
    Specifies the file name for the newly created certificate signing request. You can specify any file name.
    -keyout example.key
    Specifies the file name for the newly created private key. You can specify any file name.
    If you prefer to create a key without a passphrase, add the following flag
    -nodes
  3. Replace the existing default internal certificate in
    /usr/local/demisto/cert.pem
    and key in
    /usr/local/demisto/cert.key
    with the newly generated private certificate and key.
    For example:
    Copy the certificate (example.crt) to /usr/local/demisto:
    cp example.crt /usr/local/demisto/cert.pem
    Copy the key (example.key) to /usr/local/demisto:
    cp example.key /usr/local/demisto/cert.key
  4. (
    Optional
    ) Add the certificate to your trusted certificate store.
    • For Ubuntu: Copy the certificate (.crt) file to:
      /usr/local/share/ca-certificates/
      using the command:
      sudo update-ca-certificates
      .
    • For Centos: Run the
      yum install ca-certificates
      command and then copy the certificate (.crt) file to:
      /etc/pki/ca-trust/source/anchors/
      using the command:
      update-ca-trust extract
      .
    Ensure that the (.crt) file permissions is: 644
    When running in a distributed database environment, in the application server add the database certificates as trusted.
    In a Red Hat operating system, make sure the certificate was appended in the file
    /etc/pki/tls/certs/ca-bundle.crt
  5. Restart the Cortex XSOAR server.
    sudo service demisto start
    Keep the certificate and key in a place other than
    /usr/local/demisto
    .

Troubleshoot Creating a Private Key and CSR

After the newly generated certificate key pair is copied to
/usr/local/demisto
, if the browser does not show the new certificate, do one or more of the following:
  • Check whether the FQDN specified in the certificate is the same as the FQDN of the Cortex XSOAR server.
  • Check whether there are any other certificates or keys in
    /usr/local/demisto
    , other than the ones generated recently for the Cortex XSOAR server. If so, remove or move them to another folder on the server.
  • On your browser on which you are trying to load Cortex XSOAR, clear cookies and other data. For example, in Chrome, go to
    Settings
    Advanced
    Clear Browsing data
    Clear data
    .
  • If the Cortex XSOAR server is behind a load balancer, re-upload the certificate on the load balancer. For example, if the Cortex XSOAR server is behind the ELB (Elastic Load Balancing), re-import the certificate on ELB (Elastic Load Balancing) on the Amazon Certificate Manager AWS console.

Recommended For You