Configure Custom HTTPS Certificates in USM Appliance


Applies to Product: USM Appliance™ LevelBlue OSSIM®

You can secure USM Appliance by providing your own SSL certificates from a Certificate Authority (CA), and you can upload them through the web UI.

To upload a custom HTTPS certificate in USM Appliance

  1. Log into the USM Appliance web UI and go to Configuration > Administration > Main.
  2. Extend USM Framework.

  3. Click the Browse button to upload your custom web server SSL certificate and private key files in Privacy Enhanced Mail (PEM) format:

    Custom HTTPS Certificate

    Important: Make sure that your certificate file includes both the "begin" and "end" lines.

  4. (Optional) If your SSL certificate requires any intermediate certificates, upload it in Web Server SSL CA Certificates (PEM format).

If you need help generating a certificate, see How to Generate a Certificate Signing Request for USM Appliance.

 

Convert Certificates to PEM Format

USM Appliance only accepts certificates in the PEM format, which is the most common format that certificates are issued. However, different operating systems (OSes) generate certificates in different formats. For example, Windows OS typically produce certificates in PFX or PKCS#12 format, with extensions .pfx or .p12.

If your certificate is not in the PEM format, you can use OpenSSL to convert it. OpenSSL is installed on USM Appliance by default. The following procedure illustrates how to convert a certificate from PFX to PEM format using USM Appliance.

To convert your certificate to the PEM format

  1. Obtain a certificate from your CA.

  2. Upload your certificate file to USM Appliance.

    Note: For example, Linux and macOS users can use the scp command while Windows users can use a program called WinSCP.

  3. Connect to the AlienVault Console through SSH and use your credentials to log in.
  4. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

  5. Generate the following files:

    1. Certificate:

      openssl pkcs12 -nokeys -nodes -in certificate.pfx -out av_certificate.pem

    2. Private key:

      openssl pkcs12 -nocerts -nodes -in certificate.pfx -out av_private_key.pem

    3. CA certificate chain (optional):

      openssl pkcs12 -cacerts -nokeys -in certificate.pfx -out av_ca_certificate_chain.pem

  6. Edit the files to remove any extra lines. You can use vim or nano as editors.

    Note: Certificate files have -----BEGIN CERTIFICATE------ and ------END CERTIFICATE------ while private key files have ------BEGIN PRIVATE KEY------ and ------END PRIVATE KEY------ surrounding the content. You need to remove any extra lines above or below these texts.

  7. Download the new certificate files to your desktop.
  8. Log into the USM Appliance web UI and go to Configuration > Administration > Main.
  9. Extend USM Framework.

  10. If you have configured a certificate in the past, click Remove to delete the old certificate, and then Update Configuration to apply the changes.

    Allow 2-5 minutes for reconfiguration to run in the background. After the web browser refreshes, you may receive a warning about custom self-signed certificate in use. You can ignore this message.

  11. Browse to and upload the certificate files generated in step #5.

  12. Verify that the new certificate is installed and ready to be used.