Securing Tanium Console, API, and Module Server access

Tanium Cloud uses Transport Layer Security (TLS) to secure the connections among Tanium Core Platform components. However, you cannot change the digital certificates and keys that Tanium Cloud uses for TLS communication.

Overview of certificates and keys

Tanium user and module operations require connections to the Tanium Servers, Module Server, and Tanium module services. The Tanium Core Platform uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates and keys to secure connections to the Tanium Server and Module Server (illustrated in Figure 2). For example, when you use Tanium™ Patch to deploy patches to endpoints, the Tanium Core Platform establishes connections in the following order:

User system (browser or CLI) to the Tanium Server (Tanium Console or API)
Tanium Server to Tanium Module Server
Module Server to Patch service
Patch service to Tanium Server

The Tanium Server and Module Server installers generate self-signed certificates. You can replace these with certificates issued by a commercial certificate authority (CA) or your enterprise CA.

To facilitate troubleshooting, use the self-signed certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate potential installation issues from TLS connection issues. Using a CA-issued certificate is highly recommended for Tanium Console and API access but is optional for communication between the Tanium Server and Module Server.

Tanium Console and API access require user authentication through sign-in credentials, but not for securing the TLS connection.

To troubleshoot Console and API access issues, see Authentication log.

For details about the Tanium™ Protocol that secures communication among the Tanium Servers, Zone Server, Zone Server Hub, and Tanium Clients, see Securing Tanium Server, Zone Server, and Tanium Client access. To manage the keys that the Tanium Protocol uses, see Tanium Console User Guide: Managing Tanium keys.

To install the Tanium Server or Module Server, see Tanium Appliance Deployment Guide or Tanium Core Platform Deployment Guide for Windows.

Tanium Console and API

Users access the Tanium Console or API on the Tanium Server to perform Tanium operations such as issuing questions or deploying actions. The Console and API communicate over Hypertext Transfer Protocol Secure (HTTPS), which uses SSL/TLS certificates and keys to secure client-server connections. When a user accesses the Tanium Console or API, the user system is the client and the Tanium Server is the server. To secure the connection, the Tanium Server presents its SOAPServer.crt certificate to prove its identity to the client and uses its SOAPServer.key private key to complete the TLS handshake. For Console or API access, clients do not have to prove their identity to secure the connection. Figure 2 illustrates these processes.

When you install the Tanium Server on a Tanium Appliance, it generates a self-signed SOAPServer.crt certificate. When you install the Tanium Server on a Windows server, you can choose between a self-signed certificate or (if one is available) a CA-issued certificate. If you use a self-signed certificate, users see a certificate validation error when they access the Tanium Console or API. The error occurs because the CA certificates on the user system cannot validate the self-signed certificate. The following figure shows an example of such an error when users try to connect from a browser to the Tanium Console.

Module Server communication

When users use the Tanium Console or API to work with Tanium modules, the Tanium Server communicates with the Tanium Module Server, the Module Server accesses the Tanium module services that it hosts (such as Patch), and the module services communicate back with the Tanium Server (see Figure 2).

The Tanium Server and Module Server communicate over HTTPS, and both servers must prove their identities through certificates. The Tanium Server presents SOAPServer.crt to prove its identity, while the Module Server presents ssl.crt. The servers use the associated private keys (SOAPServer.key and ssl.key) to complete the TLS handshake that secures the connection. To verify the Tanium Server identity, the Module Server checks that its trusted.crt file contains the SOAPServer.crt that the Tanium Server presented. In an active-active deployment, trusted.crt must contain the SOAPServer.crt of both Tanium Servers. Tanium Servers also verify the Module Server identity by checking that their trusted‑module‑servers.crt file contains the ssl.crt that the Module Server presented. The Module Server registration process generates trusted.crt on the Module Server and trusted‑module‑servers.crt on the Tanium Server. The Module Server installation process generates ssl.crt.

The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services, which listen only on localhost. TLS termination occurs on the Module Server, which forwards the requests locally over non-TLS connections from the HTTPS listener to the appropriate module service.

Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented during the TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the same API as Tanium Console users, client certificate validation is not enforced.

Optionally, you can use CA-issued certificates to replace the server-generated, self-signed SOAPServer.crt and ssl.crt certificates, but not the trusted.crt and trusted‑module‑servers.crt files. If you replace SOAPServer.crt or ssl.crt, you must re-register the Module Server with the Tanium Server to regenerate the trusted.crt and trusted‑module‑servers.crt files.

The following table summarizes the certificates and keys that the Tanium Core Platform uses for connections to the Module Server:

Table 1: Certificates and keys for Module Server connections
Location	File Name	Purpose
Module Server	ssl.crt ssl.key	HTTPS certificate and private key that the Module Server presents to secure incoming connections from the Tanium Server or outgoing connections to Tanium services.
Module Server	trusted.crt	Contains the SOAPServer.crt of the Tanium Servers with which the Module Server has registered. The Module Server uses trusted.crt to validate Tanium Server certificates.
Tanium Server	SOAPServer.crt SOAPServer.key	HTTPS certificate and private key that the Tanium Server presents to secure outgoing connections to the Module Server or incoming connections from the systems of Tanium Console users or Tanium API users.
Tanium Server	trusted-module-servers.crt	Contains the ssl.crt of the Module Server that has registered with the Tanium Server. The Tanium Server uses trusted‑module‑servers.crt to validate the Module Server certificate.

SSL/TLS connection processes and setup tasks

The following figure illustrates the components, processes, and setup tasks involved in securing connections to the Tanium Server (Tanium Console or API) and Module Server.

The following processes correspond to the numbers in Figure 2.

	Tanium Console/API access When a user system connects to the Tanium Console or API, the Tanium Server presents its SOAPServer.crt certificate to prove its identity to the user system. In Figure 2, the server uses a CA-issued version of SOAPServer.crt () instead of a self-signed version. Therefore, the user system uses a CA certificate to validate SOAPServer.crt.
	Replace self-signed certificate with CA-issued certificate Generate a certificate signing request (CSR) and associated private key SOAPServer.key for the Tanium Server. You submit the CSR to your CA, which uses a CA certificate and associated private key to digitally sign the requested certificate (SOAPServer.crt). The CA signing certificate must also be present on the systems from which users access the Tanium Console or API (). The Tanium Server can then use the requested CA-issued certificate instead of a self-signed certificate. Optionally, you can also request a CA-issued certificate to replace the Module Server certificate (ssl.crt). For details, see CA-issued certificates.
	Module Server registration During a fresh installation of the Module Server, you must manually enable trust between it and the Tanium Server before registration. The Module Server then registers with the Tanium Server and the servers generate the trusted‑module‑servers.crt and trusted.crt files. For subsequent communication between the servers, including during version upgrades, manually enabling trust is unnecessary because the servers automatically check trusted‑module‑servers.crt and trusted.crt during their mutual identity verification (). The installation procedures in the following deployment guides include steps to manually enable trust for the server certificates by verifying or entering certificate fingerprints (hash digests of certificate public keys): Tanium Appliance Deployment Guide: Installing Tanium Module Server and Tanium Core Platform Deployment Guide for Windows: Installing the Tanium Module Server.
	Mutual identity verification To establish a secure TLS connection, the Tanium Server and Module Server prove their identities to each other. During the TLS handshake, the Tanium Server presents its SOAPServer.crt certificate to the Module Server, which verifies that its trusted.crt file contains SOAPServer.crt. Also during the handshake, the Module Server presents its ssl.crt certificate to the Tanium Server, which verifies that its trusted‑module‑servers.crt file contains ssl.crt.
	Module Server to Tanium module services The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services, which listen only on localhost. The Module Server forwards the requests locally over non-TLS connections from the HTTPS listener to the appropriate module service.
	Module services to the Tanium Server Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented during the TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the same API as Tanium Console users, client certificate validation is not enforced for this connection (in contrast with the connection described in ).

CA-issued certificates

If your organization prefers to use CA-issued certificates to secure connections among systems, you can replace the self-signed certificates that the Tanium Server (SOAPServer.crt) and Module Server (ssl.crt) generated during installation. In an active-active deployment, you can use the same CA-issued SOAPServer.crt (and associated private key) for both Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names. Alternatively, you can use a distinct CA-issued certificate for each Tanium Server.

Obtaining a CA-issued certificate involves submitting a CSR to the CA and generating an associated private key. You can use the Tanium™ KeyUtility program to generate the CSR and key locally. See Tanium Appliance: Replace certificates or Windows: Replace certificates.

On Windows, you can also generate a CSR and key using Microsoft Management Console (MMC).

The CA uses a CA certificate and its associated private key to digitally sign the certificate that you requested. If a CA-issued certificate replaces SOAPServer.crt on the Tanium Server, then the CA signing certificate must also be present on the systems from which users access the Tanium Console or API. For Console users, the CA signing certificate must be in the trusted certificates store of their browsers. For API users, the CA signing certificate must be in the location specified in API calls, as shown in the ‑‑cacert <file path> option in the following example:

$ curl -s --cacert <file path> -X POST --data-binary @<sign in>.json https://localhost/api/v2/session/login

When you create the CSR, specify the options and X.509 attributes that ensure the CA returns a certificate that meets the following requirements.

Certificate requirements

Work with your CA to obtain a certificate with the following specifications for the Tanium Server or Module Server:

X.509 certificate with TLS Web Server Authentication and Client Authentication extended key usage
Separate certificate and private key files.

You must remove the passphrase from the key file.
PEM format (Base64 encoded)
Certificate signed with a SHA-256 hashing algorithm
RSA 2048-bit key encryption
Common Name (CN) that specifies the fully qualified domain name (FQDN) or IP address of the server.
Subject Alternative Name that specifies the FQDNs or IP addresses of both Tanium Servers in an active-active deployment where both servers use the same certificate. This is unnecessary if each server uses its own certificate.
If the certificate is part of a chain that includes an intermediate certificate, the certificate file must include the entire chain. If you receive the certificates as individual files, build a single file for the chain:
1. Use a text editor to create a new text file.
2. Paste the entire body of each certificate into the text file in the following order:
3. Save the text file with the file name of the original server certificate (SSL.crt or SOAPServer.crt).

Example: Create a CSR and private key with OpenSSL

The following example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer, as long as the resulting certificate has the required attributes and a private key. This OpenSSL example uses a configuration file to pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file.

For better security, use the TaniumKeyUtility program on Tanium Appliances or the KeyUtility.exe program on Windows-based Tanium Core platform servers instead of using a third-party tool to generate the CSR and private key. Generating the key locally enables you to avoid copying it between systems. See Tanium Appliance: Replace certificates or Windows: Replace certificates.

Create a configuration file (tanium-openssl.cfg, in this example) with the following content. Change the bold values to ones that are appropriate for your Tanium Servers.

In this example, both Tanium Servers in an active-active deployment use the same certificate and therefore the subjectAltName section specify both servers for the DNS.1 and DNS.2 values.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Code
countryName_default = US
stateOrProvinceName = State or Province
stateOrProvinceName_default = CA
localityName = City
localityName_default = Emeryville
organizationName = Organization Name
organizationName_default = ExampleCorp
organizationalUnitName = Organizational Unit
organizationalUnitName_default = IT
commonName = Tanium Server FQDN
commonName_default = ts1.example.com
commonName_max = 64

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = ts1.example.com
DNS.2 = ts2.example.com
Create a private key file to digitally sign the CSR:

openssl genrsa -out tanium.key 2048
Generate the CSR file. The following example specifies the configuration file and private key created in the previous steps:

openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg
Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR.

Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate the certificate requirements to your CA.

Use a secure protocol such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) when you need to copy the private key between systems; do not use Server Message Block (SMB) or File Transfer Protocol (FTP). For security, after copying the key to the installation folder of the Tanium Core Platform server that requires key, delete any other instance of it.

Tanium Appliance: Replace certificates

Perform the following steps to replace the current SOAPServer.crt and SOAPServer.key on the Tanium Server with a new, CA-issued certificate and associated private key. In an active-active deployment, you can use the same certificate and key for both Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.

Contact Tanium Support if you need to replace the current ssl.crt and ssl.key on the Module Server with a new, CA-issued certificate and associated private key.

Obtain the new certificate and key

You can use the TaniumKeyUtility program instead of a third-party tool to generate the CSR and private key on the Tanium Server appliance. The program generates the key in plain text and it must remain unencrypted.

For better security, generate the key locally on the server to avoid copying it between systems.

Sign in to the TanOS console as a user with the tanadmin role.
Open a read-only restricted shell. (B-5-O)
Navigate to the server installation folder.

(0 20:41:16 1) ->cd ~/TaniumServer>
Use the TaniumKeyUtility program to generate a CSR and private key.

The --hostname argument specifies the server FQDN or IP address. In an active-active deployment where both Tanium Servers use the same certificate and key, specify both Tanium Servers with a comma separator (ts1.example.com,ts2.example.com for example). Optionally, you can also generate a unique CSR and key for each Tanium Server.

The --out argument specifies the output directory and file names of the CSR and key. The command automatically appends the suffix (.csr or .key) to the file name. Use the file name SOAPServer to avoid having to rename the files later. Make sure to specify the /xfer/outgoing directory as the output directory.

(0 20:41:22 2) ->./TaniumKeyUtility selfsign --export-csr --hostname <server FQDN/IP address> --out /xfer/outgoing/SOAPServer

The command creates three files in the outgoing directory: SOAPServer.csr, SOAPServer.key, and SOAPServer.crt. The command automatically uses the key to sign SOAPServer.csr. The SOAPServer.crt file is a self-signed certificate that you use only if you do not need a CA-issued certificate.
Use SFTP to access the files in the outgoing directory, and submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the file contents into an online form. In any case, be sure to communicate the certificate requirements to your CA.

If the certificate is part of a chain (CA certificate, intermediate certificate, and server certificate) for which the CA provides individual files, you must build a single file for the entire chain. See Certificate requirements.
When the CA returns the new PEM-formatted certificate file, save it to the same location as the private key so that you can copy both files to the Tanium Servers.

Install the new certificate and key

Install the new, CA-issued certificate and associated private key on the Tanium Server. In an active-active deployment, perform these steps on each Tanium Server. Because the steps include stopping and restarting the servers, perform this task during a maintenance window.

Use SFTP to copy the new CA-issued SOAP certificate and key files to the /incoming directory on the appliance.
Sign in to the TanOS console as a user with the tanadmin role.

Enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         7: Download SOAP Certificate
         9: Import CAC Certificate

         A: Configure Module Server(s)
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 4 to initiate the Install Custom SOAP Cert process.

View screen

------------------------------------------------------

>>> Tanium Operations -> Install Custom SOAP Cert <<< 

This menu will allow you to install a custom SOAP Certificate on the Tanium server.
The detailed process and requirements can be reviewed at:
			
https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/
ssl_certificates.html#Appliance

Attention: the Tanium Server service will be restarted during this operation! 

Please ensure that you have completed the following steps before continuing:

1) Follow the instructions on docs.tanium.com to generate a key/cert pair 
2) Upload the SOAPServer.key and SOAPServer.crt files into the incoming 

Would you like to continue? [Yes|No]:

Follow the prompts to install the certificate and key files that you uploaded:

Enter Yes at the prompt to proceed with the installation.

Select the certificate that you are importing, verify that the displayed certificate details are correct, and enter Yes at the prompt. View screen

>>> Tanium Operations -> Install Custom SOAP Cert -> Select Certificate <<<

Pick a certificate (.pem or *.crt) to import. Press ENTER to re-scan the incoming directory.

   1: SOAPServer.crt                                             2.1K
      subject= /C=DE/ST=BE/L=Berlin/OU=IT

   R: Return, no selection
	
Please select: 1

Examining SOAPServer.crt
MD5: fd9bbe48d6ea10037d3d240f96c0c211

Not After: Sep 2 09:43:41 2023 GMT
Subject: C=DE, ST=BE, L=Berlin, OU=IT

SOAPServer.crt: C=DE, ST=BE, L=Berlin, OU=IT

Use this file? [Yes|No]:

Select the private key that you are importing.

The appliance verifies that the key is valid and matches the certificate. View screen

>>> Tanium Operations -> Install Custom SOAP Cert -> Select Key <<<

Pick a key (.key or *.key.pem) to import. Press ENTER to re-scan the incoming directory.

   1: SOAPServer.key                                             1.8K
      Valid RSA Key, matching certificate

   R: Return, no selection

Please select: 1
Creating backup of existing files.

Would you like to backup existing SOAP files to tancopy outgoing? [Yes|No]:

Enter Yes at the prompt to create a backup of the files in the /outgoing directory of the tancopy user.

The Tanium Appliance stops the Tanium Server service, installs the new certificate and key, and restarts the service. View screen

Creating backup of existing files.

Would you like to backup existing SOAP files to tancopy outgoing? [Yes|No]: yes
Existing SOAP files have been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time
Stopping the Tanium Server service - this might take a while...
Installing new certificate...
Starting the Tanium Server service...
Successfully installed new SOAP certificate and restarted the Tanium Server

If the appliances are in an array, the last step is to re-register the Module Server: enter Yes at the prompt and enter the password of the Tanium Console admin user.

View screen

This appliance is part of an Appliance Array containing a remote Tanium Module Server.
The TMS needs to re-register with this appliance to begin using the newly loaded certificate.

Do you want to register the TMS now? [Yes|No]: yes
Enter Tanium Console admin user (tanium) password for 10.1.20.30:

Otherwise, if the appliance is not in an array, press Enter to continue and perform the steps described in Re-register the remote Module Server with each Tanium Server. View screen

Local Tanium Module Server service found - updating trusted.crt.
Restarting the Tanium Module Server service.
Finished updating trusted .crt and restarted Tanium Module Server.
Restart of other module services may be required.
Validate all other module services are functioning as expected and use the service control options to restart as required.

Custom SOAP Cert installation completed
Press enter to continue

Re-register the remote Module Server with each Tanium Server

After you replace the certificate and private key on the Tanium Server, re-register the Module Server if you did not already do so in the preceding task. In an active-active deployment, you must re-register with each Tanium Server. Because the steps include stopping and restarting services, perform this task during a maintenance window.

Repeat the remote Module Server configuration steps to update the certificates that are used to validate SOAPServer.crt and ssl.crt on each server: trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance. See Tanium Appliance Deployment Guide: Configure the Tanium Server to use the remote Module Server.
Restart all Tanium services on the Module Server appliance. See Tanium Appliance Deployment Guide: Start, stop, and restart Tanium services.

Windows: Replace certificates

Perform the following steps to replace the current certificates and private keys used for connections to the Tanium Console, API, and Module Server with new, CA-issued certificates and associated private keys. In an active-active deployment, you can use the same certificate and key for both Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.

The certificates and keys that the Tanium Server and Module Server use are not interchangeable. The Tanium Server uses the SOAPServer.crt certificate and SOAPServer.key key. The Module Server uses the ssl.crt certificate and ssl.key key.

Obtain the new certificate and key

You can use the Tanium KeyUtility.exe program instead of a third-party tool to generate the CSR and private key on whichever Windows-based server (Tanium Server or Module Server) needs them. The program generates the key in plain text and it must remain unencrypted.

For better security, generate the key locally on the server to avoid copying it between systems.

You can also generate a CSR and key using Microsoft Management Console (MMC).

Sign in to the server that needs a new certificate and access the CLI as an administrator (see Windows: CLI).
Navigate to the server installation folder.
$ cd <Tanium/Module Server>
Use the KeyUtility.exe program to generate a CSR and private key.
The --hostname argument specifies the server FQDN or IP address. In an active-active deployment where both Tanium Servers use the same certificate and key, specify both Tanium Servers with a comma separator (ts1.example.com,ts2.example.com for example). Optionally, you can also generate a unique CSR and key for each Tanium Server.
The --out argument specifies the output folder and files names of the CSR and key. The command automatically appends the suffix (.csr or .key) to the file name. Use the file name SOAPServer on the Tanium Server or ssl on the Module Server to avoid having to rename the files later. To avoid overwriting the current key, be sure to specify an output folder that is not the server installation folder.
$ KeyUtility selfsign --export-csr --hostname <server FQDN/IP address> --out <output folder path><file name>
The command creates three files in the specified output folder: <filename>.csr, <filename>.key, and <filename>.crt. The command automatically uses the key to sign <filename>.csr. The <filename>.crt file is a self-signed certificate that you use only if you do not need a CA-issued certificate.
Submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the file contents into an online form. In any case, be sure to communicate the Certificate requirements to your CA.

If the certificate is part of a chain (CA certificate, intermediate certificate, and server certificate) for which the CA provides individual files, you must build a single file for the entire chain. See Certificate requirements.
When the CA returns the new PEM-formatted certificate file, save it to a temporary location from where you can later copy the file to the installation folder of the Tanium Server or Module Server.

Update the Tanium Server certificate and key files

Because you must restart servers during this task, perform it during a maintenance window.

Update the Tanium Server certificate and key files in a standalone (non-HA) deployment

On the Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case you later want to revert your changes.
Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
Copy the new certificate and key files to the server installation folder to replace the existing files.

For security, delete any instance of the key that is not in the installation folder after you copy the key there.
Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.
If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files. Otherwise, perform the remaining steps.
Sign in to the Module Server and re-register it with the Tanium Server to regenerate the trusted.crt and trusted‑module‑servers.crt files. Use the Module Server CLI as follows. Specifying the port is necessary only if the Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
For a standalone Tanium Server, you can also re-register by re-running the Module Server installer (see Tanium Core Platform Deployment Guide for Windows: Installing the Tanium Module Server).
On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all Tanium solutions:
- Reboot the Module Server. All the services automatically restart during the reboot process.
- Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
Restart the Tanium Server service: on the Tanium Server, open the Windows Services application, right-click Tanium Server, and select Restart.

Update the Tanium Server certificate and key files in an active-active deployment

Perform these steps on one Tanium Server at a time. The steps in this example start on the primary Tanium Server.

On the primary Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case you later want to revert your changes.
Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
Copy the new certificate and key files to the server installation folder to replace the existing files.

For security, delete any instance of the key that is not in the installation folder after you copy the key there.
Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.
On the secondary Tanium Server, stop the Tanium Server service.
Replace the existing certificate and key in the installation folder of the secondary Tanium Server:
- If each Tanium Server requires a unique certificate and key, copy the files from the temporary folder where you stored them.
- If both Tanium Servers use the same certificate and key, copy the files from the primary Tanium Server.
Use a secure protocol such as SCP or SFTP to copy the key between systems; do not use SMB or FTP.
On the secondary Tanium Server, start the Tanium Server service.
If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files. Otherwise, perform the remaining steps.
Sign in to the Module Server and re-register it with each Tanium Server to regenerate the trusted.crt and trusted‑module‑servers.crt files. Use the Module Server CLI as follows for each Tanium Server in the deployment. Specifying the port is necessary only if the Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all Tanium solutions:
- Reboot the Module Server. All the services automatically restart during the reboot process.
- Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click Tanium Server, and select Restart.

Update the Module Server certificates and key files

Because this task involves stopping and starting the Module Server, perform the steps during a maintenance window.

The Tanium Server service must be running on each Tanium Server when you perform the step to re-register the Module Server.

On the Module Server, back up the existing ssl.crt certificate and ssl.key private key in case you later want to revert your changes.
Stop the services for the Tanium Module Server and all Tanium solutions (modules and shared services): open the Windows Services application and, for each service, right-click the service name and select Stop.
Copy the new certificate and key files to the Module Server installation folder to replace the existing files.

For security, delete any instance of the key that is not in the installation folder after you copy the key there.
Re-register the Module Server with the Tanium Server to regenerate the trusted.crt and trusted‑module‑servers.crt files. In an active-active deployment, you must re-register with each Tanium Server. Use the Module Server CLI as follows to re-register with each Tanium Server in the deployment. Specifying the port is necessary only if the Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
For a standalone Tanium Server, you can also re-register by re-running the Module Server installer (see Tanium Core Platform Deployment Guide for Windows: Installing the Tanium Module Server). In an active-active deployment, running the installer re-registers only with the primary Tanium Server.
On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all Tanium solutions:
- Reboot the Module Server. All the services automatically restart during the reboot process.
- Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click Tanium Server, and select Restart.