After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add, remove, or replace certificates from the certificate store
This article describes working with certificates in the certificate store, certificates that are used to validate the SSL connection of the connectors to other endpoints. For information on HTTPS certificates, used for the user interface, see Update or renew SSL certificates for Nginx, RabbitMQ, or Consul.
The web server used by Splunk SOAR implements HTTP Strict Transport Security (HSTS) to ensure all traffic in and out of the web server is encrypted. A potential side effect of a site using HSTS is that some browsers might prevent you from visiting the site at all if it uses an untrusted or self-signed TLS certificate.
Add a custom certificate to the certificate store
To add a custom root or intermediate authority certificate to the certificate store:
phenv python3 <PHANTOM_HOME>/bin/import_cert.py -i /tmp/ca.crt <PHANTOM_HOME>/bin/phsvc restart uwsgi
In this example, the import_cert.py
script is copying the certificate file ca.crt
to the <PHANTOM_HOME>/etc/certs/
directory, then consolidating all the files in that directory to the <PHANTOM_HOME>/etc/cacerts.pem
file. The cacerts.pem
file is used by to verify all server certificates.
The <PHANTOM_HOME>/bin/phsvc restart uwsgi
restarts the web server so the updated cacerts.pem
file is reloaded.
Do not store files other than .crt or .pem in
. Storing other kinds of files in that directory can corrupt the cacerts.pem
file when new certs are imported.
Remove a certificate from the certificate store
If you need to remove a root or intermediate authority certificate that you have previously installed, perform the following tasks:
- Delete the file for that certificate from
<PHANTOM_HOME>/etc/certs/
. - Run the
import_cert.py
script with no parameters. - Restart the web server.
Replace existing HTTPS certificate with certificate signed by a Certificate Authority
Perform the following tasks to replace the default certificate in Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) with a valid certificate signed by a Certificate Authority.
Passphrases for certificate files are not supported by Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
- Back up the existing certificate files in the following locations:
<PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key
- Replace the existing certificate files with your new files, in the same location. If you choose to use a different location, edit the
<PHANTOM_HOME>/usr/nginx/conf/conf.d/phantom-nginx-server.conf
file to point to the appropriate location.If you modify the Nginx configuration, it may be overwritten when you upgrade Splunk SOAR (Cloud) or Splunk SOAR (On-Premises).
- If you are using a commercial certificate authority, you will be given one or more intermediate certificates, and possibly a root certificate, to go along with your server certificate. You must add the intermediates and root, if provided, into the
httpd_cert.crt
file along with the server certificate. Add the domain certificate first, then add each certificate that signs the preceding certificate until you reach the root certificate.
Append the lines from the intermediate certificates to the server certificate file, following the previously described order.
You can use theopenssl x509 -in httpd_cert.crt -text -noout
command to decode the httpd_cert.crt file, if needed.[root@localhost certs]# pwd <PHANTOM_HOME>/etc/ssl/certs [root@localhost certs]# cat httpd_cert.crt -----BEGIN CERTIFICATE----- MIIGBzCCA++gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMSIwIAYDVQQKDBlQaGFudG9tIEN5YmVyIENv cnBvcmF0aW9uMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEyMDAGA1UEAwwpUGhhbnRv bSBDeWJlciBDb3Jwb3JhdGlvbiBJbnRlcm1lZGlhdGUgQ0EwHhcNMTYwNjAyMDI0 MzI2WhcNMjEwNjAxMDI0MzI2WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh bGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEiMCAGA1UECgwZUGhhbnRvbSBD eWJlciBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMM FG15cGhhbnRvbS5waGFudG9tLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAyFBqOJqtJrRM/kmOOVGmRm9DtaGlxfNCsmOMhpyR//ju025ibaoYiQRr BqbNhsmDZuzSAIqxkO1fwYw3LBLmsrFqtc3wwO5PDXl8fKGN49iYWzG5N5RtU0Nv 9r/iCsGDM0tjnUxQaGpl3CNTil6qKKO+Xb2KeNKBM4xP9bwRzkQ9bBK9aIMd1f/y DquWNvgxkcofhS6Dicp3fySOym96Eb2GdBH9C3cYuPmBeqvOgj/OUidItLwL12oV 0AaXKWC5HLYODqLGvfXtaw6c29mz/RM5UnI+/U+EErngypFhQD9a9ZbEAChCCZFo vUxF/ufk1C2RHvw32xjU69j52YQKnwIDAQABo4IBaDCCAWQwCQYDVR0TBAIwADAR BglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ4hpYjyWbPPoUoa6pe2A vAUz5ScwgcoGA1UdIwSBwjCBv4AU46v2CJIQGDXu1FB6M9lKbsoUDRKhgaKkgZ8w gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQ YWxvIEFsdG8xIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDAS BgNVBAsMC0VuZ2luZWVyaW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBv cmF0aW9uIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA5kdSwVQMHjCIQvyjOQsflPOcj2zS t0IWVp4OmDipJ+MYm4+bHvsw3OxBb3fWx4W7S249dbTNoTPqPlCoLLlv8mshTwF4 nZJksLz5D40rtqrtYT1g3d1rDURz8rANP9MqHUpkXKETg9ufNwprWAdFYfd/IQw8 e547k0Wy60NRb1rowI7hIOc/egqRU6WjQ5ygmCblHmoL9AK6Jh03tXS6maPrbSRt 9Nkf/iPbkz8m7kOR1OUbq9/YXaNI6LECOYsI+ML8iy1ddPIGg+eNce3Lg47Q/rpY 3Y+w1KHoticeetKvJn+mzxLiGXVEUik/Mm5eniJGMCa5bMO31xH5TXcouOE554u6 gcACjeaTz/KYQ8TnMTAaJIG9GIvclao4xYA705LPMHHeEF5fQXRnJqSZ9i1tqWZQ EOFJ5RhJSJuf0j4P+4fpZOxV3wZJlvE6Ts3s2m2Iws+WLZSYAHlpVLUKuk2vxvrO v44syOGi80f/zPWAy4u0NrNSBMCCIv9VElJ+9azCjOW349murPZeymOWGM/A9HbU DH00pogNlUHHiZB+X9tKktFGAI2qZXHE13fRlmNbblAKepQdCNEo/Cji5sDXKacG 7HaBZlQZiX9u2pOYtLZHSyCgfThtKv3DzmOFtER1BMDeiRffUcjGvMKErjU1SLeE FqZLl+YJqmQ7sZM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGEDCCA/igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIjAgBgNV BAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVy aW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBvcmF0aW9uIFJvb3QgQ0Ew HhcNMTYwNjAxMjM0ODA4WhcNMjYwNTMwMjM0ODA4WjCBkDELMAkGA1UEBhMCVVMx EzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29y cG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVyaW5nMTIwMAYDVQQDDClQaGFudG9t IEN5YmVyIENvcnBvcmF0aW9uIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAPJEEEDFnoPwu70writqR/s2njLR6FqVNYcXGnot U9SU0mlOse3ZKa1tNKE84WBO0IYxFTXO+B1F7DK2aGmvC2pAdMH34zOdfk3j2FwA Zed4NUzkmn2cFcTa7Ldroj+8DLWPnB03FAlPfcXOx1yYhV1vxTdT1uw+nzyxbUGf kMVu0i+NpXjar9hzkw7YxyShnUYrlBX/kA8arWoe9v+b/1t8mnySb+v0DdW5i2pS 6Jnu2C6tnYzPbqyQANsar1MFWHV0c3L24f8B8je33vdqdzmKlGbvCBBMS0LCQm7L B1xDY3yJrkjc+x6R6cBytxwW9+h/eZp6wpu2vtX15EOF6acJOCHtvXM9CbpVRHkW Hy5+c5cuEh4HA/0BGZa0okhy8aguD+YCVVFkeZ+UM0Arxs+mVrlbNQjeogaP1Kxm k7+GooB0z1PXL95dZarovawuJ+k3IPT+trTO8CtINqOZqauo56n6KSWtpN0OP+nE 6xb92DR9LP8GvdKEnVH7AxBLinNrwtUqXgmqJFjcqNE6RdxmBxr2s35WJzaqBkzp mX4HVyxIFDXSRIY54RjyNcx+5glcCrDilekm6sSTtNcV3vCxSMlj64UjtaI8j0ph 3xNFLfJBa9sDyljmwo+1SFQw/VIfDoasPJtxkgW/ry47XLs4wPvljNm/8bG/wtbf QmMfAgMBAAGjZjBkMB0GA1UdDgQWBBTjq/YIkhAYNe7UUHoz2UpuyhQNEjAfBgNV HSMEGDAWgBQtWQnie48FM86cNmhnlUEI9o0OQjASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEATriE0O4xdpHojl5H l7xdTi5sBe5KdZ+zgs6BBJSbDKKPoADZzx0CUB5vzqx1By3z4aS0fWId+eG1rQ70 JA2if+JqLR/NK0M9n/D9e4/wwz+GgDdtFARljrdvPiau4Rk1ybNGgdvKHBjF9lCG 7uo1XVJ/IszFJGG37q3L+0aJjQnKxmgd0Fh1z50OtMjiO6EKzeAIJagr+zceobUt c5c3E67fITGI1Dr74em+g4Wo2th0zt7OYwfVTbFM7delGnCS/+J2JlGOX6A4KVd5 2dN79y7Asf5ULngDOg77N+coHaEhHSS5gLYQ2vsi6mIRBmJaxkYwQErAg3ObHXiV 94KIGlmDq3C9f1olUHdEbOw0njYG7R0zciKGe78FVQqtmjK1gbI8x9bo9+kzyVH6 1Ru7ZnoitT8UqJxtMml4pUSHSM9u4HCjXkSYzEWmZzn+6weqH1qLwBCiqx5hgKUI IHq8Hu/RPwFQsEqTSZAgcA0QvbMxT7yqt5HYxLNvj6sbieQNRxjeUshCFt6/o42e buAkABxg0cY1kRdSKDjRL6NSw7t6GLs0xkW8Z98WbMmE7LueXqKTk/FZVRL4u9Nx eeheRnVf5vPVd6OSsLxpCQtzOCb9zG+LvIg16qJfacXtsDHbcRM6cKaDKlTT2CmA +xULbgPvxpR3cOc2l+bxhf0EExM= -----END CERTIFICATE-----
This following is an example of the decoded output.
[root@localhost certs]# openssl x509 -in httpd_cert.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Phantom Cyber Corporation, OU = Engineering, CN = Phantom Cyber Corporation Intermediate CA Validity Not Before: Jun 2 02:43:26 2016 GMT Not After : Jun 1 02:43:26 2021 GMT Subject: C = US, ST = California, L = Palo Alto, O = Phantom Cyber Corporation, OU = Engineering, CN = myphantom.phantom.us Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:50:6a:38:9a:ad:26:b4:4c:fe:49:8e:39:51: a6:46:6f:43:b5:a1:a5:c5:f3:42:b2:63:8c:86:9c: 91:ff:f8:ee:d3:6e:62:6d:aa:18:89:04:6b:06:a6: cd:86:c9:83:66:ec:d2:00:8a:b1:90:ed:5f:c1:8c: 37:2c:12:e6:b2:b1:6a:b5:cd:f0:c0:ee:4f:0d:79: 7c:7c:a1:8d:e3:d8:98:5b:31:b9:37:94:6d:53:43: 6f:f6:bf:e2:0a:c1:83:33:4b:63:9d:4c:50:68:6a: 65:dc:23:53:8a:5e:aa:28:a3:be:5d:bd:8a:78:d2: 81:33:8c:4f:f5:bc:11:ce:44:3d:6c:12:bd:68:83: 1d:d5:ff:f2:0e:ab:96:36:f8:31:91:ca:1f:85:2e: 83:89:ca:77:7f:24:8e:ca:6f:7a:11:bd:86:74:11: fd:0b:77:18:b8:f9:81:7a:ab:ce:82:3f:ce:52:27: 48:b4:bc:0b:d7:6a:15:d0:06:97:29:60:b9:1c:b6: 0e:0e:a2:c6:bd:f5:ed:6b:0e:9c:db:d9:b3:fd:13: 39:52:72:3e:fd:4f:84:12:b9:e0:ca:91:61:40:3f: 5a:f5:96:c4:00:28:42:09:91:68:bd:4c:45:fe:e7: e4:d4:2d:91:1e:fc:37:db:18:d4:eb:d8:f9:d9:84: 0a:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 27:88:69:62:3C:96:6C:F3:E8:52:86:BA:A5:ED:80:BC:05:33:E5:27 X509v3 Authority Key Identifier: keyid:E3:AB:F6:08:92:10:18:35:EE:D4:50:7A:33:D9:4A:6E:CA:14:0D:12 DirName:/C=US/ST=California/L=Palo Alto/O=Phantom Cyber Corporation/OU=Engineering/CN=Phantom Cyber Corporation Root CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption Signature Value: e6:47:52:c1:54:0c:1e:30:88:42:fc:a3:39:0b:1f:94:f3:9c: 8f:6c:d2:b7:42:16:56:9e:0e:98:38:a9:27:e3:18:9b:8f:9b: 1e:fb:30:dc:ec:41:6f:77:d6:c7:85:bb:4b:6e:3d:75:b4:cd: a1:33:ea:3e:50:a8:2c:b9:6f:f2:6b:21:4f:01:78:9d:92:64: b0:bc:f9:0f:8d:2b:b6:aa:ed:61:3d:60:dd:dd:6b:0d:44:73: f2:b0:0d:3f:d3:2a:1d:4a:64:5c:a1:13:83:db:9f:37:0a:6b: 58:07:45:61:f7:7f:21:0c:3c:7b:9e:3b:93:45:b2:eb:43:51: 6f:5a:e8:c0:8e:e1:20:e7:3f:7a:0a:91:53:a5:a3:43:9c:a0: 98:26:e5:1e:6a:0b:f4:02:ba:26:1d:37:b5:74:ba:99:a3:eb: 6d:24:6d:f4:d9:1f:fe:23:db:93:3f:26:ee:43:91:d4:e5:1b: ab:df:d8:5d:a3:48:e8:b1:02:39:8b:08:f8:c2:fc:8b:2d:5d: 74:f2:06:83:e7:8d:71:ed:cb:83:8e:d0:fe:ba:58:dd:8f:b0: d4:a1:e8:b6:27:1e:7a:d2:af:26:7f:a6:cf:12:e2:19:75:44: 52:29:3f:32:6e:5e:9e:22:46:30:26:b9:6c:c3:b7:d7:11:f9: 4d:77:28:b8:e1:39:e7:8b:ba:81:c0:02:8d:e6:93:cf:f2:98: 43:c4:e7:31:30:1a:24:81:bd:18:8b:dc:95:aa:38:c5:80:3b: d3:92:cf:30:71:de:10:5e:5f:41:74:67:26:a4:99:f6:2d:6d: a9:66:50:10:e1:49:e5:18:49:48:9b:9f:d2:3e:0f:fb:87:e9: 64:ec:55:df:06:49:96:f1:3a:4e:cd:ec:da:6d:88:c2:cf:96: 2d:94:98:00:79:69:54:b5:0a:ba:4d:af:c6:fa:ce:bf:8e:2c: c8:e1:a2:f3:47:ff:cc:f5:80:cb:8b:b4:36:b3:52:04:c0:82: 22:ff:55:12:52:7e:f5:ac:c2:8c:e5:b7:e3:d9:ae:ac:f6:5e: ca:63:96:18:cf:c0:f4:76:d4:0c:7d:34:a6:88:0d:95:41:c7: 89:90:7e:5f:db:4a:92:d1:46:00:8d:aa:65:71:c4:d7:77:d1: 96:63:5b:6e:50:0a:7a:94:1d:08:d1:28:fc:28:e2:e6:c0:d7: 29:a7:06:ec:76:81:66:54:19:89:7f:6e:da:93:98:b4:b6:47: 4b:20:a0:7d:38:6d:2a:fd:c3:ce:63:85:b4:44:75:04:c0:de: 89:17:df:51:c8:c6:bc:c2:84:ae:35:35:48:b7:84:16:a6:4b: 97:e6:09:aa:64:3b:b1:93
- Ensure the certificate and key are owned by phantom:phantom by checking
ls -la
to see the permissions. If you need to update the permissions, runchown phantom:phantom <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key
- Restart the nginix service:
/<PHANTOM_HOME>/bin/phsvc restart nginx
If Nginx fails to restart, SELinux may have a conflict with the changed security context of the SSL files. The issue can be resolved by resetting the security context of the replaced SSL files. The Nginx error log location is
<PHANTOM_HOME>/var/log/nginx/error.log
. Run the following commands to reset the security context and restart Nginx:restorecon <PHANTOM_HOME>/etc/ssl/certs/httpd_cert.crt restorecon <PHANTOM_HOME>/etc/ssl/private/httpd_cert.key <PHANTOM_HOME>/bin/phsvc restart nginx
certificate store overview | Troubleshooting certificate issues |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!