Reference: SSL certificates

You can replace the self-signed certificates generated by the Tanium™ Server and Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

To obtain a CA certificate, you create a certificate signing request (CSR) and submit it to the CA. When you create your CSR, be sure to specify appropriate options and X.509 attributes so the resulting certificate returned by the CA meets the certificate requirements.

The private key file is generated on a local system when you use a tool such as OpenSSL to generate the CSR. You do not send the private key to the CA. Instead, save it to a secure location. You are instructed to copy this key into the Tanium Server installation directory along with the CA-issued certificate.

Certificate requirements

Work with your CA to obtain a server certificate with the following specifications:

  • X.509 certificate with Extended Key Usage including both:
    • TLS Web Server Authentication
    • TLS Web Client Authentication
  • Separate certificate and key files. The key file should have the passphrase removed.
  • PEM format
  • Base-64 encoded
  • Certificate signed with SHA-256 hashing algorithm

  • RSA 2048-bit key encryption
  • Subject Alternative Name lists all Tanium Server names (for example, a certificate for an active-active deployment would include both and

Replacing certificates in your deployment

Use the procedures in the following table to replace the existing SSL certificate and key files with new ones.

  Certificate/key files in installation directory To update the certificates/key files
Tanium Server SOAPServer.crt



  1. Back up the existing certificate and key file in case you want to revert your changes.
  2. Make a copy of the CA-issued certificate and your private key.
  3. Rename the CA-issued certificate and corresponding key to the names used in the Tanium Server installation—SOAPServer.crt and SOAPServer.key.
  4. Stop the Tanium Server service.
  5. Copy the new certificate and key files in place of the existing ones.
  6. Restart the Tanium Server service.
Tanium Module Server ssl.crt



  1. Back up the existing certificate and key file in case you want to revert your changes.
  2. Make a copy of the CA-issued certificate and corresponding key.
  3. Rename the copies to the names used in the Tanium Module Server installation—ssl.crt and ssl.key.
  4. Stop the Tanium Module Server service, as well as services for all Tanium solution modules.
  5. Copy the new certificate and key files in place of the existing ones.
  6. Re-run the installer to re-do the Module Server registration process and generate the proper certificates or use the Module Server CLI to re-register with each Tanium Server.
  7. Restart the Tanium Module Server service and the services for all Tanium solution modules.

* In Tanium Core Platform 7.1 and earlier, you had to follow special procedures to create the certificate chain for the trusted.crt file. In 7.2 and later, the Module Server installer registration process creates a proper trusted.crt file (on the Module Server host) and trusted-module-servers.crt file (on the Tanium Server host). The 7.2 and later implementation uses certificate pinning, so you do not have to re-create the certificate chain. You can simply re-run the installer and select the CA-issued certificates, and the registration process creates the proper files. See Install the Module Server and automatically register with the Tanium Server.

Example: Creating a CSR with OpenSSL

This example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer as long as you end up with a certificate with the required attributes and a corresponding private key. This OpenSSL example uses a configuration file to pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file.

  1. Create a configuration file with the following content (change the values in bold to ones appropriate for your servers):
  2. [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    countryName = US
    countryName_default = US
    stateOrProvinceName = CA
    stateOrProvinceName_default = CA
    localityName = Emeryville
    localityName_default = Emeryville
    organizationName = IT
    organizationalUnitName = IT
    organizationalUnitName_default = IT
    commonName =
    commonName_max = 64
    [ v3_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth,clientAuth
    subjectAltName = @alt_names
    DNS.1 =
    DNS.2 = 
  3. Create a private key file to digitally sign the certificate request:
  4. openssl genrsa -out tanium.key 2048
  5. Generate a certificate signing request file. The following example specifies the configuration file and private key created in the previous steps:
  6. openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg
  7. Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR.
  8. -----BEGIN CERTIFICATE REQUEST----- MIIC9DCCAdwCAQAwUzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQH DApFbWVyeXZpbGxlMQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMdHMudGFtLmxvY2Fs MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApUekQ9Q2cdV4HejVI6KY +EgnUsZm2qbQUHoTsRjQV82BUdsybOqY7/I4haTCA5x0tZVPmBV358B6cIiOtWdV +dwp8UFX90iSAugYpop3KQ/Ke7ws4twZiyL+SVZyEwARpZM0aiqt4iExs5+Kw+F5 uOvNlhj7F+csu8Q4VzWF+QsgrgMnSsNawZxGPvV9LghaEyow3oP+lmRN2LVrmy82 tsmhml2+vOwipR4lyAkNXJS6nIf3BROXUxqFC0vgHDI2/ilX+2GM3MMGZNxPn5iC nxXzLm/yLTytWyLB/mb77Ts/Si8BenLzrZtEvsV+dqWKq6a428/iZD4FYp6+LMd4 gQIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF oDAxBgNVHREEKjAoghJzZXJ2ZXIxLmRvbWFpbi5jb22CEnNlcnZlcjIuZG9tYWlu LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAC4ki2mTKzmrSAv/xW3L8FnJ8cUEzmfex Q/7N+XKGszUesAToBtVG1EHY2gSdA7gTR/OfUxZUrPJTx7oHWb9L/UgNB6gHeI2R uxwUOmbTcaSjcwdeKH+N+vEEnubMt/RzTun4Qk+CgQLws/jbGOsmcV2KoPJ4/2QM oxpnCHKyjc3HYaCvbYvT7UbFk9hNNfpl0djqxm0LRAi0uQqt5T0WmzIjxsVXY4ay F5bhwdCTLQT+e7ERqFStblBdfkIzxGOexUG96iQR4R8noN4qp/iNRFUTTiJPZ9aN 84Ab494Q4BtYY2cIA2LWQfSrCVgzcXSdpPwDdb2w5b8p5wSA0/rdMw==

  9. Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate the certificate requirements to your CA.

Last updated: 2/22/2019 12:22 PM | Feedback