Reference: SSL certificates
You can replace the self-signed certificates generated by the Tanium™ Server and Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).
To obtain a CA certificate, you create a certificate signing request (CSR) and submit it to the CA. When you create your CSR, be sure to specify appropriate options and X.509 attributes so the resulting certificate returned by the CA meets the certificate requirements.
The private key file is generated on a local system when you use a tool such as OpenSSL to generate the CSR. You do not send the private key to the CA. Instead, save it to a secure location. You are instructed to copy this key into the Tanium Server installation directory along with the CA-issued certificate.
Work with your CA to obtain a server certificate with the following specifications:
- X.509 certificate with Extended Key Usage including both:
- TLS Web Server Authentication
- TLS Web Client Authentication
- Separate certificate and key files. The key file should have the passphrase removed.
- PEM format
- Base-64 encoded
Certificate signed with SHA-256 hashing algorithm
- RSA 2048-bit key encryption
- Subject Alternative Name lists all Tanium Server names (for example, a certificate for an active-active deployment would include both ts1.example.com and ts2.example.com)
Use the procedures in the following table to replace the existing SSL certificate and key files with new ones.
|Certificate/key files in installation directory||To update the certificates/key files|
|Tanium Module Server||
* In Tanium Core Platform 7.1 and earlier, you had to follow special procedures to create the certificate chain for the trusted.crt file. In 7.2 and later, the Module Server installer registration process creates a proper trusted.crt file (on the Module Server host) and trusted-module-servers.crt file (on the Tanium Server host). The 7.2 and later implementation uses certificate pinning, so you do not have to re-create the certificate chain. You can simply re-run the installer and select the CA-issued certificates, and the registration process creates the proper files. See Install the Module Server and automatically register with the Tanium Server.
This example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer as long as you end up with a certificate with the required attributes and a corresponding private key. This OpenSSL example uses a configuration file to pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file.
- Create a configuration file with the following content (change the values in bold to ones appropriate for your servers):
- Create a private key file to digitally sign the certificate request:
- Generate a certificate signing request file. The following example specifies the configuration file and private key created in the previous steps:
- Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR.
- Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate the certificate requirements to your CA.
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = US countryName_default = US stateOrProvinceName = CA stateOrProvinceName_default = CA localityName = Emeryville localityName_default = Emeryville organizationName = IT organizationalUnitName = IT organizationalUnitName_default = IT commonName = server.domain.com commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth,clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = server1.domain.com DNS.2 = server2.domain.com
openssl genrsa -out tanium.key 2048
openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Last updated: 2/22/2019 12:22 PM | Feedback