By default, Vectra uses a self-signed certificate for the secure HTTP (i.e. "https://") user interface. As a result, the certificate causes SSL warnings in most web browsers.
The servers SSL certificate can be replaced with a customer-provided signed certificate allowing fully encrypted user interface sessions to the Vectra appliance. This certificate should be tied to the DNS hostname of the appliance.
Starting in Cognito Detect version 6.6, the certificate must adhere to SSL CTX level 2. RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. Also, any cipher suite using MD5 for the MAC and RC4 is also prohibited. SSLv3 is also prohibited.
Customers currently have several options regarding the installation of the certificate.
Option 1 (recommended): Use the Vectra command line to generate CSR and install the certificate
- SSH to your Cognito brain using the Vectra account
- Generate a new CSR using the command:
certificate request https --country <country-code> --state <state-name> --location <location-name> --org <oragnization-name> --orgunit <organization-unit> --cn <common-name>Example:
certificate request https --country US --state TEXAS --location AUSTIN --org "VECTRA AI" --orgunit SUPPORT --cn mytestmachine.vectra.ai
- Please note that the country field requires the two-letter country code, e.g. US for the United States of America, DE for Germany.
- Any parameters not provided on the command line are prompted for.
- The final prompt will be for the alternate names of this appliance. This field should be populated with a space-separated list of IP addresses and hostnames in all possible combinations. These entries will be added to the CSR in the SubjectAltName field.
- Using the CSR generated submit it to your CA (Certificate Authority). The issued SSL certificate should be provided unencrypted in the X509 PEM format.
- Please note that many Microsoft products generate certificates in PKCS#7 format. These certificates should be converted to X509 PEM format before being installed. This can be done with:
openssl pkcs7 -print_certs -in CERTNAME.p7b -out CERTNAME.pem
- Install the provided certificate using the command:
certificate add httpsPaste the certificate issued by the CA or the certificate chain (root, intermediate and child certificate) when prompted.
Note: In later versions of software the user is prompted to paste the certificate into an editor ('vi') where the full certificate chain may be entered:
Option 2: Customer generates both a new certificate and a new private key
- Generate a new private key and a signed certificate according to your requirements. You will need to provide the Country, State, Location, Organization, Organizational Unit, and Common Name for the certificate. The certificate and key should be provided as an X509 certificate in unencrypted PEM format.
- Please note that many Microsoft products generate certificates in PKCS#7 format. These certificates should be converted to X509 PEM format before being installed.
- During certificate generation, you may wish to include the SubjectAltName field if you are wishing to access the appliance using its IP address.
- Engage Vectra Support through your support portal or by emailing firstname.lastname@example.org.
- Vectra Support will assist you via remote session (Support VPN direct to the appliance or remote meeting, for example, Webex or Zoom meeting).
- In this remote session, the Vectra Support engineer will replace the existing private key and existing self-signed certificate with the customer-provided data.