Add, remove, or replace certificates from the certificate store

This article describes working with certificates in the certificate store, certificates that are used to validate the SSL connection of the connectors to other endpoints. For information on HTTPS certificates, used for the user interface, see Update or renew SSL certificates for Nginx, RabbitMQ, or Consul.

The web server used by Splunk SOAR implements HTTP Strict Transport Security (HSTS) to ensure all traffic in and out of the web server is encrypted. A potential side effect of a site using HSTS is that some browsers might prevent you from visiting the site at all if it uses an untrusted or self-signed TLS certificate.

Add a custom certificate to the certificate store

To add a custom root or intermediate authority certificate to the certificate store:

phenv python3 <PHANTOM_HOME>/bin/import_cert.py -i /tmp/ca.crt
<PHANTOM_HOME>/bin/phsvc restart uwsgi

In this example, the import_cert.py script is copying the certificate file ca.crt to the <PHANTOM_HOME>/etc/certs/ directory, then consolidating all the files in that directory to the <PHANTOM_HOME>/etc/cacerts.pem file. The cacerts.pem file is used by to verify all server certificates.

The <PHANTOM_HOME>/bin/phsvc restart uwsgi restarts the web server so the updated cacerts.pem file is reloaded.

Do not store files other than .crt or .pem in /etc/certs/. Storing other kinds of files in that directory can corrupt the cacerts.pem file when new certs are imported.

Remove a certificate from the certificate store

If you need to remove a root or intermediate authority certificate that you have previously installed, perform the following tasks:

Delete the file for that certificate from <PHANTOM_HOME>/etc/certs/.
Run the import_cert.py script with no parameters.
Restart the web server.

Replace existing HTTPS certificate with certificate signed by a Certificate Authority

Perform the following tasks to replace the default certificate in Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) with a valid certificate signed by a Certificate Authority.

Passphrases for certificate files are not supported by Splunk SOAR (Cloud) or Splunk SOAR (On-premises).

Back up the existing certificate files in the following locations:

<PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt 
<PHANTOM_HOME>/etc/ssl/private/httpd_cert.key

Replace the existing certificate files with your new files, in the same location. If you choose to use a different location, edit the <PHANTOM_HOME>/usr/nginx/conf/conf.d/phantom-nginx-server.conf file to point to the appropriate location.
If you modify the Nginx configuration, it may be overwritten when you upgrade Splunk SOAR (Cloud) or Splunk SOAR (On-Premises).

If you are using a commercial certificate authority, you will be given one or more intermediate certificates, and possibly a root certificate, to go along with your server certificate. You must add the intermediates and root, if provided, into the httpd_cert.crt file along with the server certificate. Add the domain certificate first, then add each certificate that signs the preceding certificate until you reach the root certificate.

Append the lines from the intermediate certificates to the server certificate file, following the previously described order.

You can use the openssl x509 -in httpd_cert.crt -text -noout command to decode the httpd_cert.crt file, if needed.

[root@localhost certs]# pwd
<PHANTOM_HOME>/etc/ssl/certs
[root@localhost certs]# cat httpd_cert.crt 
-----BEGIN CERTIFICATE-----
MIIGBzCCA++gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMSIwIAYDVQQKDBlQaGFudG9tIEN5YmVyIENv
cnBvcmF0aW9uMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEyMDAGA1UEAwwpUGhhbnRv
bSBDeWJlciBDb3Jwb3JhdGlvbiBJbnRlcm1lZGlhdGUgQ0EwHhcNMTYwNjAyMDI0
MzI2WhcNMjEwNjAxMDI0MzI2WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEiMCAGA1UECgwZUGhhbnRvbSBD
eWJlciBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMM
FG15cGhhbnRvbS5waGFudG9tLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAyFBqOJqtJrRM/kmOOVGmRm9DtaGlxfNCsmOMhpyR//ju025ibaoYiQRr
BqbNhsmDZuzSAIqxkO1fwYw3LBLmsrFqtc3wwO5PDXl8fKGN49iYWzG5N5RtU0Nv
9r/iCsGDM0tjnUxQaGpl3CNTil6qKKO+Xb2KeNKBM4xP9bwRzkQ9bBK9aIMd1f/y
DquWNvgxkcofhS6Dicp3fySOym96Eb2GdBH9C3cYuPmBeqvOgj/OUidItLwL12oV
0AaXKWC5HLYODqLGvfXtaw6c29mz/RM5UnI+/U+EErngypFhQD9a9ZbEAChCCZFo
vUxF/ufk1C2RHvw32xjU69j52YQKnwIDAQABo4IBaDCCAWQwCQYDVR0TBAIwADAR
BglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh
dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ4hpYjyWbPPoUoa6pe2A
vAUz5ScwgcoGA1UdIwSBwjCBv4AU46v2CJIQGDXu1FB6M9lKbsoUDRKhgaKkgZ8w
gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQ
YWxvIEFsdG8xIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDAS
BgNVBAsMC0VuZ2luZWVyaW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBv
cmF0aW9uIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA5kdSwVQMHjCIQvyjOQsflPOcj2zS
t0IWVp4OmDipJ+MYm4+bHvsw3OxBb3fWx4W7S249dbTNoTPqPlCoLLlv8mshTwF4
nZJksLz5D40rtqrtYT1g3d1rDURz8rANP9MqHUpkXKETg9ufNwprWAdFYfd/IQw8
e547k0Wy60NRb1rowI7hIOc/egqRU6WjQ5ygmCblHmoL9AK6Jh03tXS6maPrbSRt
9Nkf/iPbkz8m7kOR1OUbq9/YXaNI6LECOYsI+ML8iy1ddPIGg+eNce3Lg47Q/rpY
3Y+w1KHoticeetKvJn+mzxLiGXVEUik/Mm5eniJGMCa5bMO31xH5TXcouOE554u6
gcACjeaTz/KYQ8TnMTAaJIG9GIvclao4xYA705LPMHHeEF5fQXRnJqSZ9i1tqWZQ
EOFJ5RhJSJuf0j4P+4fpZOxV3wZJlvE6Ts3s2m2Iws+WLZSYAHlpVLUKuk2vxvrO
v44syOGi80f/zPWAy4u0NrNSBMCCIv9VElJ+9azCjOW349murPZeymOWGM/A9HbU
DH00pogNlUHHiZB+X9tKktFGAI2qZXHE13fRlmNbblAKepQdCNEo/Cji5sDXKacG
7HaBZlQZiX9u2pOYtLZHSyCgfThtKv3DzmOFtER1BMDeiRffUcjGvMKErjU1SLeE
FqZLl+YJqmQ7sZM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEDCCA/igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIjAgBgNV
BAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVy
aW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBvcmF0aW9uIFJvb3QgQ0Ew
HhcNMTYwNjAxMjM0ODA4WhcNMjYwNTMwMjM0ODA4WjCBkDELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29y
cG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVyaW5nMTIwMAYDVQQDDClQaGFudG9t
IEN5YmVyIENvcnBvcmF0aW9uIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAPJEEEDFnoPwu70writqR/s2njLR6FqVNYcXGnot
U9SU0mlOse3ZKa1tNKE84WBO0IYxFTXO+B1F7DK2aGmvC2pAdMH34zOdfk3j2FwA
Zed4NUzkmn2cFcTa7Ldroj+8DLWPnB03FAlPfcXOx1yYhV1vxTdT1uw+nzyxbUGf
kMVu0i+NpXjar9hzkw7YxyShnUYrlBX/kA8arWoe9v+b/1t8mnySb+v0DdW5i2pS
6Jnu2C6tnYzPbqyQANsar1MFWHV0c3L24f8B8je33vdqdzmKlGbvCBBMS0LCQm7L
B1xDY3yJrkjc+x6R6cBytxwW9+h/eZp6wpu2vtX15EOF6acJOCHtvXM9CbpVRHkW
Hy5+c5cuEh4HA/0BGZa0okhy8aguD+YCVVFkeZ+UM0Arxs+mVrlbNQjeogaP1Kxm
k7+GooB0z1PXL95dZarovawuJ+k3IPT+trTO8CtINqOZqauo56n6KSWtpN0OP+nE
6xb92DR9LP8GvdKEnVH7AxBLinNrwtUqXgmqJFjcqNE6RdxmBxr2s35WJzaqBkzp
mX4HVyxIFDXSRIY54RjyNcx+5glcCrDilekm6sSTtNcV3vCxSMlj64UjtaI8j0ph
3xNFLfJBa9sDyljmwo+1SFQw/VIfDoasPJtxkgW/ry47XLs4wPvljNm/8bG/wtbf
QmMfAgMBAAGjZjBkMB0GA1UdDgQWBBTjq/YIkhAYNe7UUHoz2UpuyhQNEjAfBgNV
HSMEGDAWgBQtWQnie48FM86cNmhnlUEI9o0OQjASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEATriE0O4xdpHojl5H
l7xdTi5sBe5KdZ+zgs6BBJSbDKKPoADZzx0CUB5vzqx1By3z4aS0fWId+eG1rQ70
JA2if+JqLR/NK0M9n/D9e4/wwz+GgDdtFARljrdvPiau4Rk1ybNGgdvKHBjF9lCG
7uo1XVJ/IszFJGG37q3L+0aJjQnKxmgd0Fh1z50OtMjiO6EKzeAIJagr+zceobUt
c5c3E67fITGI1Dr74em+g4Wo2th0zt7OYwfVTbFM7delGnCS/+J2JlGOX6A4KVd5
2dN79y7Asf5ULngDOg77N+coHaEhHSS5gLYQ2vsi6mIRBmJaxkYwQErAg3ObHXiV
94KIGlmDq3C9f1olUHdEbOw0njYG7R0zciKGe78FVQqtmjK1gbI8x9bo9+kzyVH6
1Ru7ZnoitT8UqJxtMml4pUSHSM9u4HCjXkSYzEWmZzn+6weqH1qLwBCiqx5hgKUI
IHq8Hu/RPwFQsEqTSZAgcA0QvbMxT7yqt5HYxLNvj6sbieQNRxjeUshCFt6/o42e
buAkABxg0cY1kRdSKDjRL6NSw7t6GLs0xkW8Z98WbMmE7LueXqKTk/FZVRL4u9Nx
eeheRnVf5vPVd6OSsLxpCQtzOCb9zG+LvIg16qJfacXtsDHbcRM6cKaDKlTT2CmA
+xULbgPvxpR3cOc2l+bxhf0EExM=
-----END CERTIFICATE-----

This following is an example of the decoded output.

[root@localhost certs]# openssl x509 -in httpd_cert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, O = Phantom Cyber Corporation, OU = Engineering, CN = Phantom Cyber Corporation Intermediate CA
        Validity
            Not Before: Jun  2 02:43:26 2016 GMT
            Not After : Jun  1 02:43:26 2021 GMT
        Subject: C = US, ST = California, L = Palo Alto, O = Phantom Cyber Corporation, OU = Engineering, CN = myphantom.phantom.us
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:50:6a:38:9a:ad:26:b4:4c:fe:49:8e:39:51:
                    a6:46:6f:43:b5:a1:a5:c5:f3:42:b2:63:8c:86:9c:
                    91:ff:f8:ee:d3:6e:62:6d:aa:18:89:04:6b:06:a6:
                    cd:86:c9:83:66:ec:d2:00:8a:b1:90:ed:5f:c1:8c:
                    37:2c:12:e6:b2:b1:6a:b5:cd:f0:c0:ee:4f:0d:79:
                    7c:7c:a1:8d:e3:d8:98:5b:31:b9:37:94:6d:53:43:
                    6f:f6:bf:e2:0a:c1:83:33:4b:63:9d:4c:50:68:6a:
                    65:dc:23:53:8a:5e:aa:28:a3:be:5d:bd:8a:78:d2:
                    81:33:8c:4f:f5:bc:11:ce:44:3d:6c:12:bd:68:83:
                    1d:d5:ff:f2:0e:ab:96:36:f8:31:91:ca:1f:85:2e:
                    83:89:ca:77:7f:24:8e:ca:6f:7a:11:bd:86:74:11:
                    fd:0b:77:18:b8:f9:81:7a:ab:ce:82:3f:ce:52:27:
                    48:b4:bc:0b:d7:6a:15:d0:06:97:29:60:b9:1c:b6:
                    0e:0e:a2:c6:bd:f5:ed:6b:0e:9c:db:d9:b3:fd:13:
                    39:52:72:3e:fd:4f:84:12:b9:e0:ca:91:61:40:3f:
                    5a:f5:96:c4:00:28:42:09:91:68:bd:4c:45:fe:e7:
                    e4:d4:2d:91:1e:fc:37:db:18:d4:eb:d8:f9:d9:84:
                    0a:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                27:88:69:62:3C:96:6C:F3:E8:52:86:BA:A5:ED:80:BC:05:33:E5:27
            X509v3 Authority Key Identifier:
                keyid:E3:AB:F6:08:92:10:18:35:EE:D4:50:7A:33:D9:4A:6E:CA:14:0D:12
                DirName:/C=US/ST=California/L=Palo Alto/O=Phantom Cyber Corporation/OU=Engineering/CN=Phantom Cyber Corporation Root CA
                serial:10:00
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        e6:47:52:c1:54:0c:1e:30:88:42:fc:a3:39:0b:1f:94:f3:9c:
        8f:6c:d2:b7:42:16:56:9e:0e:98:38:a9:27:e3:18:9b:8f:9b:
        1e:fb:30:dc:ec:41:6f:77:d6:c7:85:bb:4b:6e:3d:75:b4:cd:
        a1:33:ea:3e:50:a8:2c:b9:6f:f2:6b:21:4f:01:78:9d:92:64:
        b0:bc:f9:0f:8d:2b:b6:aa:ed:61:3d:60:dd:dd:6b:0d:44:73:
        f2:b0:0d:3f:d3:2a:1d:4a:64:5c:a1:13:83:db:9f:37:0a:6b:
        58:07:45:61:f7:7f:21:0c:3c:7b:9e:3b:93:45:b2:eb:43:51:
        6f:5a:e8:c0:8e:e1:20:e7:3f:7a:0a:91:53:a5:a3:43:9c:a0:
        98:26:e5:1e:6a:0b:f4:02:ba:26:1d:37:b5:74:ba:99:a3:eb:
        6d:24:6d:f4:d9:1f:fe:23:db:93:3f:26:ee:43:91:d4:e5:1b:
        ab:df:d8:5d:a3:48:e8:b1:02:39:8b:08:f8:c2:fc:8b:2d:5d:
        74:f2:06:83:e7:8d:71:ed:cb:83:8e:d0:fe:ba:58:dd:8f:b0:
        d4:a1:e8:b6:27:1e:7a:d2:af:26:7f:a6:cf:12:e2:19:75:44:
        52:29:3f:32:6e:5e:9e:22:46:30:26:b9:6c:c3:b7:d7:11:f9:
        4d:77:28:b8:e1:39:e7:8b:ba:81:c0:02:8d:e6:93:cf:f2:98:
        43:c4:e7:31:30:1a:24:81:bd:18:8b:dc:95:aa:38:c5:80:3b:
        d3:92:cf:30:71:de:10:5e:5f:41:74:67:26:a4:99:f6:2d:6d:
        a9:66:50:10:e1:49:e5:18:49:48:9b:9f:d2:3e:0f:fb:87:e9:
        64:ec:55:df:06:49:96:f1:3a:4e:cd:ec:da:6d:88:c2:cf:96:
        2d:94:98:00:79:69:54:b5:0a:ba:4d:af:c6:fa:ce:bf:8e:2c:
        c8:e1:a2:f3:47:ff:cc:f5:80:cb:8b:b4:36:b3:52:04:c0:82:
        22:ff:55:12:52:7e:f5:ac:c2:8c:e5:b7:e3:d9:ae:ac:f6:5e:
        ca:63:96:18:cf:c0:f4:76:d4:0c:7d:34:a6:88:0d:95:41:c7:
        89:90:7e:5f:db:4a:92:d1:46:00:8d:aa:65:71:c4:d7:77:d1:
        96:63:5b:6e:50:0a:7a:94:1d:08:d1:28:fc:28:e2:e6:c0:d7:
        29:a7:06:ec:76:81:66:54:19:89:7f:6e:da:93:98:b4:b6:47:
        4b:20:a0:7d:38:6d:2a:fd:c3:ce:63:85:b4:44:75:04:c0:de:
        89:17:df:51:c8:c6:bc:c2:84:ae:35:35:48:b7:84:16:a6:4b:
        97:e6:09:aa:64:3b:b1:93

Ensure the certificate and key are owned by phantom:phantom by checking ls -la to see the permissions. If you need to update the permissions, run
```
chown phantom:phantom <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt  <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key
```
Restart the nginix service:
```
/<PHANTOM_HOME>/bin/phsvc restart nginx
```
If Nginx fails to restart, SELinux may have a conflict with the changed security context of the SSL files. The issue can be resolved by resetting the security context of the replaced SSL files. The Nginx error log location is <PHANTOM_HOME>/var/log/nginx/error.log. Run the following commands to reset the security context and restart Nginx:
```
restorecon <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt 
restorecon <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key 
<PHANTOM_HOME>/bin/phsvc restart nginx
```

Add, remove, or replace certificates from the certificate store

Add a custom certificate to the certificate store

Remove a certificate from the certificate store

Replace existing HTTPS certificate with certificate signed by a Certificate Authority

Comments

Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store

Was this topic useful?