Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Add, remove, or replace certificates from the certificate store

This article describes working with certificates in the certificate store, certificates that are used to validate the SSL connection of the connectors to other endpoints. For information on HTTPS certificates, used for the user interface, see Update or renew SSL certificates for Nginx, RabbitMQ, or Consul.

The web server used by Splunk SOAR implements HTTP Strict Transport Security (HSTS) to ensure all traffic in and out of the web server is encrypted. A potential side effect of a site using HSTS is that some browsers might prevent you from visiting the site at all if it uses an untrusted or self-signed TLS certificate.

Add a custom certificate to the certificate store

To add a custom certificate to the certificate store:

phenv python3 <PHANTOM_HOME>/bin/import_cert.py -i /tmp/ca.crt
<PHANTOM_HOME>/bin/phsvc restart uwsgi

In this example, the import_cert.py script is copying the certificate file ca.crt to the <PHANTOM_HOME>/etc/certs/ directory, then consolidating all the files in that directory to the <PHANTOM_HOME>/etc/cacerts.pem file. The cacerts.pem file is used by to verify all server certificates.

The <PHANTOM_HOME>/bin/phsvc restart uwsgi restarts the web server so the updated cacerts.pem file is reloaded.

Do not store files other than .crt or .pem in /etc/certs/. Storing other kinds of files in that directory can corrupt the cacerts.pem file when new certs are imported.

Remove a certificate from the certificate store

If you need to remove a certificate that you have previously installed, perform the following tasks:

  1. Delete the file for that certificate from <PHANTOM_HOME>/etc/certs/.
  2. Run the import_cert.py script with no parameters.
  3. Restart the web server.

Replace existing HTTPS certificate with certificate signed by a Certificate Authority

Perform the following tasks to replace the default certificate in Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) with a valid certificate signed by a Certificate Authority.

Passphrases for certificate files are not supported by Splunk SOAR (Cloud) or Splunk SOAR (On-premises).

  1. Back up the existing certificate files in the following locations:
    <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt 
    <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key
    
  2. Replace the existing certificate files with your new files, in the same location. If you choose to use a different location, edit the <PHANTOM_HOME>/usr/nginx/conf/conf.d/phantom-nginx-server.conf file (or the /etc/nginx/conf.d/default.conf for privileged installations) to point to the appropriate location.

    If you modify the Nginx configuration, it may be overwritten when you upgrade Splunk SOAR (Cloud) or Splunk SOAR (On-Premises).

  3. If you are using a commercial certificate authority, you will be given one or more intermediate certificates, and possibly a root certificate, to go along with your server certificate. You must add the intermediates and root, if provided, into the httpd_cert.crt file along with the server certificate. Add the domain certificate first, then add each certificate that signs the preceding certificate until you reach the root certificate.

    Append the lines from the intermediate certificates to the server certificate file, following the previously described order.

    You can use the openssl x509 -in httpd_cert.crt -text -noout command to decode the httpd_cert.crt file, if needed.
    [root@localhost certs]# pwd
    <PHANTOM_HOME>/etc/ssl/certs
    [root@localhost certs]# cat httpd_cert.crt 
    -----BEGIN CERTIFICATE-----
    MIIGBzCCA++gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMSIwIAYDVQQKDBlQaGFudG9tIEN5YmVyIENv
    cnBvcmF0aW9uMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEyMDAGA1UEAwwpUGhhbnRv
    bSBDeWJlciBDb3Jwb3JhdGlvbiBJbnRlcm1lZGlhdGUgQ0EwHhcNMTYwNjAyMDI0
    MzI2WhcNMjEwNjAxMDI0MzI2WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
    bGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEiMCAGA1UECgwZUGhhbnRvbSBD
    eWJlciBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMM
    FG15cGhhbnRvbS5waGFudG9tLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEAyFBqOJqtJrRM/kmOOVGmRm9DtaGlxfNCsmOMhpyR//ju025ibaoYiQRr
    BqbNhsmDZuzSAIqxkO1fwYw3LBLmsrFqtc3wwO5PDXl8fKGN49iYWzG5N5RtU0Nv
    9r/iCsGDM0tjnUxQaGpl3CNTil6qKKO+Xb2KeNKBM4xP9bwRzkQ9bBK9aIMd1f/y
    DquWNvgxkcofhS6Dicp3fySOym96Eb2GdBH9C3cYuPmBeqvOgj/OUidItLwL12oV
    0AaXKWC5HLYODqLGvfXtaw6c29mz/RM5UnI+/U+EErngypFhQD9a9ZbEAChCCZFo
    vUxF/ufk1C2RHvw32xjU69j52YQKnwIDAQABo4IBaDCCAWQwCQYDVR0TBAIwADAR
    BglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh
    dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ4hpYjyWbPPoUoa6pe2A
    vAUz5ScwgcoGA1UdIwSBwjCBv4AU46v2CJIQGDXu1FB6M9lKbsoUDRKhgaKkgZ8w
    gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQ
    YWxvIEFsdG8xIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDAS
    BgNVBAsMC0VuZ2luZWVyaW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBv
    cmF0aW9uIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
    BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA5kdSwVQMHjCIQvyjOQsflPOcj2zS
    t0IWVp4OmDipJ+MYm4+bHvsw3OxBb3fWx4W7S249dbTNoTPqPlCoLLlv8mshTwF4
    nZJksLz5D40rtqrtYT1g3d1rDURz8rANP9MqHUpkXKETg9ufNwprWAdFYfd/IQw8
    e547k0Wy60NRb1rowI7hIOc/egqRU6WjQ5ygmCblHmoL9AK6Jh03tXS6maPrbSRt
    9Nkf/iPbkz8m7kOR1OUbq9/YXaNI6LECOYsI+ML8iy1ddPIGg+eNce3Lg47Q/rpY
    3Y+w1KHoticeetKvJn+mzxLiGXVEUik/Mm5eniJGMCa5bMO31xH5TXcouOE554u6
    gcACjeaTz/KYQ8TnMTAaJIG9GIvclao4xYA705LPMHHeEF5fQXRnJqSZ9i1tqWZQ
    EOFJ5RhJSJuf0j4P+4fpZOxV3wZJlvE6Ts3s2m2Iws+WLZSYAHlpVLUKuk2vxvrO
    v44syOGi80f/zPWAy4u0NrNSBMCCIv9VElJ+9azCjOW349murPZeymOWGM/A9HbU
    DH00pogNlUHHiZB+X9tKktFGAI2qZXHE13fRlmNbblAKepQdCNEo/Cji5sDXKacG
    7HaBZlQZiX9u2pOYtLZHSyCgfThtKv3DzmOFtER1BMDeiRffUcjGvMKErjU1SLeE
    FqZLl+YJqmQ7sZM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIGEDCCA/igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIjAgBgNV
    BAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVy
    aW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBvcmF0aW9uIFJvb3QgQ0Ew
    HhcNMTYwNjAxMjM0ODA4WhcNMjYwNTMwMjM0ODA4WjCBkDELMAkGA1UEBhMCVVMx
    EzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29y
    cG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVyaW5nMTIwMAYDVQQDDClQaGFudG9t
    IEN5YmVyIENvcnBvcmF0aW9uIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN
    AQEBBQADggIPADCCAgoCggIBAPJEEEDFnoPwu70writqR/s2njLR6FqVNYcXGnot
    U9SU0mlOse3ZKa1tNKE84WBO0IYxFTXO+B1F7DK2aGmvC2pAdMH34zOdfk3j2FwA
    Zed4NUzkmn2cFcTa7Ldroj+8DLWPnB03FAlPfcXOx1yYhV1vxTdT1uw+nzyxbUGf
    kMVu0i+NpXjar9hzkw7YxyShnUYrlBX/kA8arWoe9v+b/1t8mnySb+v0DdW5i2pS
    6Jnu2C6tnYzPbqyQANsar1MFWHV0c3L24f8B8je33vdqdzmKlGbvCBBMS0LCQm7L
    B1xDY3yJrkjc+x6R6cBytxwW9+h/eZp6wpu2vtX15EOF6acJOCHtvXM9CbpVRHkW
    Hy5+c5cuEh4HA/0BGZa0okhy8aguD+YCVVFkeZ+UM0Arxs+mVrlbNQjeogaP1Kxm
    k7+GooB0z1PXL95dZarovawuJ+k3IPT+trTO8CtINqOZqauo56n6KSWtpN0OP+nE
    6xb92DR9LP8GvdKEnVH7AxBLinNrwtUqXgmqJFjcqNE6RdxmBxr2s35WJzaqBkzp
    mX4HVyxIFDXSRIY54RjyNcx+5glcCrDilekm6sSTtNcV3vCxSMlj64UjtaI8j0ph
    3xNFLfJBa9sDyljmwo+1SFQw/VIfDoasPJtxkgW/ry47XLs4wPvljNm/8bG/wtbf
    QmMfAgMBAAGjZjBkMB0GA1UdDgQWBBTjq/YIkhAYNe7UUHoz2UpuyhQNEjAfBgNV
    HSMEGDAWgBQtWQnie48FM86cNmhnlUEI9o0OQjASBgNVHRMBAf8ECDAGAQH/AgEA
    MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEATriE0O4xdpHojl5H
    l7xdTi5sBe5KdZ+zgs6BBJSbDKKPoADZzx0CUB5vzqx1By3z4aS0fWId+eG1rQ70
    JA2if+JqLR/NK0M9n/D9e4/wwz+GgDdtFARljrdvPiau4Rk1ybNGgdvKHBjF9lCG
    7uo1XVJ/IszFJGG37q3L+0aJjQnKxmgd0Fh1z50OtMjiO6EKzeAIJagr+zceobUt
    c5c3E67fITGI1Dr74em+g4Wo2th0zt7OYwfVTbFM7delGnCS/+J2JlGOX6A4KVd5
    2dN79y7Asf5ULngDOg77N+coHaEhHSS5gLYQ2vsi6mIRBmJaxkYwQErAg3ObHXiV
    94KIGlmDq3C9f1olUHdEbOw0njYG7R0zciKGe78FVQqtmjK1gbI8x9bo9+kzyVH6
    1Ru7ZnoitT8UqJxtMml4pUSHSM9u4HCjXkSYzEWmZzn+6weqH1qLwBCiqx5hgKUI
    IHq8Hu/RPwFQsEqTSZAgcA0QvbMxT7yqt5HYxLNvj6sbieQNRxjeUshCFt6/o42e
    buAkABxg0cY1kRdSKDjRL6NSw7t6GLs0xkW8Z98WbMmE7LueXqKTk/FZVRL4u9Nx
    eeheRnVf5vPVd6OSsLxpCQtzOCb9zG+LvIg16qJfacXtsDHbcRM6cKaDKlTT2CmA
    +xULbgPvxpR3cOc2l+bxhf0EExM=
    -----END CERTIFICATE-----
    

    This following is an example of the decoded output.

    [root@localhost certs]# openssl x509 -in httpd_cert.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 4096 (0x1000)
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, ST = California, O = Phantom Cyber Corporation, OU = Engineering, CN = Phantom Cyber Corporation Intermediate CA
            Validity
                Not Before: Jun  2 02:43:26 2016 GMT
                Not After : Jun  1 02:43:26 2021 GMT
            Subject: C = US, ST = California, L = Palo Alto, O = Phantom Cyber Corporation, OU = Engineering, CN = myphantom.phantom.us
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c8:50:6a:38:9a:ad:26:b4:4c:fe:49:8e:39:51:
                        a6:46:6f:43:b5:a1:a5:c5:f3:42:b2:63:8c:86:9c:
                        91:ff:f8:ee:d3:6e:62:6d:aa:18:89:04:6b:06:a6:
                        cd:86:c9:83:66:ec:d2:00:8a:b1:90:ed:5f:c1:8c:
                        37:2c:12:e6:b2:b1:6a:b5:cd:f0:c0:ee:4f:0d:79:
                        7c:7c:a1:8d:e3:d8:98:5b:31:b9:37:94:6d:53:43:
                        6f:f6:bf:e2:0a:c1:83:33:4b:63:9d:4c:50:68:6a:
                        65:dc:23:53:8a:5e:aa:28:a3:be:5d:bd:8a:78:d2:
                        81:33:8c:4f:f5:bc:11:ce:44:3d:6c:12:bd:68:83:
                        1d:d5:ff:f2:0e:ab:96:36:f8:31:91:ca:1f:85:2e:
                        83:89:ca:77:7f:24:8e:ca:6f:7a:11:bd:86:74:11:
                        fd:0b:77:18:b8:f9:81:7a:ab:ce:82:3f:ce:52:27:
                        48:b4:bc:0b:d7:6a:15:d0:06:97:29:60:b9:1c:b6:
                        0e:0e:a2:c6:bd:f5:ed:6b:0e:9c:db:d9:b3:fd:13:
                        39:52:72:3e:fd:4f:84:12:b9:e0:ca:91:61:40:3f:
                        5a:f5:96:c4:00:28:42:09:91:68:bd:4c:45:fe:e7:
                        e4:d4:2d:91:1e:fc:37:db:18:d4:eb:d8:f9:d9:84:
                        0a:9f
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Cert Type:
                    SSL Server
                Netscape Comment:
                    OpenSSL Generated Server Certificate
                X509v3 Subject Key Identifier:
                    27:88:69:62:3C:96:6C:F3:E8:52:86:BA:A5:ED:80:BC:05:33:E5:27
                X509v3 Authority Key Identifier:
                    keyid:E3:AB:F6:08:92:10:18:35:EE:D4:50:7A:33:D9:4A:6E:CA:14:0D:12
                    DirName:/C=US/ST=California/L=Palo Alto/O=Phantom Cyber Corporation/OU=Engineering/CN=Phantom Cyber Corporation Root CA
                    serial:10:00
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication
        Signature Algorithm: sha256WithRSAEncryption
        Signature Value:
            e6:47:52:c1:54:0c:1e:30:88:42:fc:a3:39:0b:1f:94:f3:9c:
            8f:6c:d2:b7:42:16:56:9e:0e:98:38:a9:27:e3:18:9b:8f:9b:
            1e:fb:30:dc:ec:41:6f:77:d6:c7:85:bb:4b:6e:3d:75:b4:cd:
            a1:33:ea:3e:50:a8:2c:b9:6f:f2:6b:21:4f:01:78:9d:92:64:
            b0:bc:f9:0f:8d:2b:b6:aa:ed:61:3d:60:dd:dd:6b:0d:44:73:
            f2:b0:0d:3f:d3:2a:1d:4a:64:5c:a1:13:83:db:9f:37:0a:6b:
            58:07:45:61:f7:7f:21:0c:3c:7b:9e:3b:93:45:b2:eb:43:51:
            6f:5a:e8:c0:8e:e1:20:e7:3f:7a:0a:91:53:a5:a3:43:9c:a0:
            98:26:e5:1e:6a:0b:f4:02:ba:26:1d:37:b5:74:ba:99:a3:eb:
            6d:24:6d:f4:d9:1f:fe:23:db:93:3f:26:ee:43:91:d4:e5:1b:
            ab:df:d8:5d:a3:48:e8:b1:02:39:8b:08:f8:c2:fc:8b:2d:5d:
            74:f2:06:83:e7:8d:71:ed:cb:83:8e:d0:fe:ba:58:dd:8f:b0:
            d4:a1:e8:b6:27:1e:7a:d2:af:26:7f:a6:cf:12:e2:19:75:44:
            52:29:3f:32:6e:5e:9e:22:46:30:26:b9:6c:c3:b7:d7:11:f9:
            4d:77:28:b8:e1:39:e7:8b:ba:81:c0:02:8d:e6:93:cf:f2:98:
            43:c4:e7:31:30:1a:24:81:bd:18:8b:dc:95:aa:38:c5:80:3b:
            d3:92:cf:30:71:de:10:5e:5f:41:74:67:26:a4:99:f6:2d:6d:
            a9:66:50:10:e1:49:e5:18:49:48:9b:9f:d2:3e:0f:fb:87:e9:
            64:ec:55:df:06:49:96:f1:3a:4e:cd:ec:da:6d:88:c2:cf:96:
            2d:94:98:00:79:69:54:b5:0a:ba:4d:af:c6:fa:ce:bf:8e:2c:
            c8:e1:a2:f3:47:ff:cc:f5:80:cb:8b:b4:36:b3:52:04:c0:82:
            22:ff:55:12:52:7e:f5:ac:c2:8c:e5:b7:e3:d9:ae:ac:f6:5e:
            ca:63:96:18:cf:c0:f4:76:d4:0c:7d:34:a6:88:0d:95:41:c7:
            89:90:7e:5f:db:4a:92:d1:46:00:8d:aa:65:71:c4:d7:77:d1:
            96:63:5b:6e:50:0a:7a:94:1d:08:d1:28:fc:28:e2:e6:c0:d7:
            29:a7:06:ec:76:81:66:54:19:89:7f:6e:da:93:98:b4:b6:47:
            4b:20:a0:7d:38:6d:2a:fd:c3:ce:63:85:b4:44:75:04:c0:de:
            89:17:df:51:c8:c6:bc:c2:84:ae:35:35:48:b7:84:16:a6:4b:
            97:e6:09:aa:64:3b:b1:93
    
    
  4. Ensure the certificate and key are owned by phantom:phantom by checking ls -la to see the permissions. If you need to update the permissions, run
    chown phantom:phantom <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt  <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key
  5. Restart the nginix service:
    /<PHANTOM_HOME>/bin/phsvc restart nginx

    If Nginx fails to restart, SELinux may have a conflict with the changed security context of the SSL files. The issue can be resolved by resetting the security context of the replaced SSL files. The Nginx error log location is <PHANTOM_HOME>/var/log/nginx/error.log (or /var/log/nginx/error.log for privileged installations). Run the following commands to reset the security context and restart Nginx:

    restorecon <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt 
    restorecon <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key 
    <PHANTOM_HOME>/bin/phsvc restart nginx
    
Last modified on 12 July, 2024
certificate store overview   Troubleshooting certificate issues

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters