SSL certificate installation

This article discusses SSL certificate options for Quadrant UX deployments. For RUX deployments, the cert used to support the GUI is fully managed by Vectra only.

Applicability

In Quadrant UX (QUX) deployments, the Vectra User Interface (UI) is served locally from the Brain appliance. In Respond UX (RUX) deployments, the Vectra UI is served from the Vectra cloud.

This article only applies to QUX deployments where the customer has the option to use their own certificates to secure the Vectra UI. For RUX deployments, the certificate for the Vectra UI is fully managed by Vectra and cannot be changed by customers. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Introduction

By default, Vectra uses a self-signed certificate for the secure HTTP (i.e. "https**:**//") user interface. As a result, the certificate causes SSL warnings in most web browsers.

The Brain's SSL certificate can be replaced with a customer-provided signed certificate for encrypting user interface sessions to the Vectra UI. This certificate should be tied to the DNS hostname of the appliance.

Starting in Vectra software version 9.1, the following requirements must be adhered to:

  • The certificate must adhere to SSL CTX level 2.

  • RSA, DSA and DH keys shorter than 2048 bits are prohibited.

  • ECC keys and certificates are supported.

  • Cipher suite using MD5 for the MAC and RC4 is prohibited.

  • SSLv3 is prohibited.

A new "certificate info" command was added in v9.1 to display certificate information.

Example:

vscli > certificate info
Issuer: C = US, ST = California, L = San Jose, O = "Vectra Networks, Inc", emailAddress = [email protected], CN = vectra, keyUsage = "critical, digitalSignature, keyEncipherment", extendedKeyUsage = "critical, serverAuth"
Validity
Not Before: Feb  5 21:58:57 2025 GMT
Not After : Jan 31 21:58:57 2045 GMT
Subject: C = US, ST = California, L = San Jose, O = "Vectra Networks, Inc", emailAddress = [email protected], CN = vectra, keyUsage = "critical, digitalSignature, keyEncipherment", extendedKeyUsage = "critical, serverAuth"
RSA Public-Key: (2048 bit)

Customers currently have several options regarding the installation of the certificate.

In this option, customers use the command line interface (CLI) of the Brain to generate a CSR and then install the certificate received from the CA (Certificate Authority).

  • When using this option the private key is generated on the Brain appliance.

    • It is always an RSA key and defaults to 4096 bits in length.

    • The default private key can be replaced and the key length can be chose by the customer to be 2048, 4096, or 8192 bits in length.

  • A video example of this process is available here:

As mentioned in Step 4 below, at the CLI you can simply enter "certificate request https" and answer the prompts to complete a request.

  • You do not need to construct a fully formatted command will all options specified as in the example in Step 2.

Please use the following steps:

  1. Login to the CLI of your Brain appliance with the "vectra" user.

    1. Please see Console access on Vectra appliances if you need guidance on how to reach the CLI.

    2. Please see Default username and passwords for Vectra appliances if you don't know the password for the "vectra" user.

  2. Generate a new CSR (Certificate Signing Request) using the command:

Example:

  1. Please note that the country field requires the two-letter country code, e.g. US for the United States of America, DE for Germany.

  2. Any parameters not provided on the command line are prompted for.

  3. The final prompt will be for the alternate names of this appliance.

    1. This field should be populated with a space-separated list of IP addresses and hostnames in all possible combinations, and should be within quotes.

    2. These entries will be added to the CSR in the SubjectAltName field.

  4. Using the CSR generated submit it to your CA (Certificate Authority).

    1. The issued SSL certificate should be provided unencrypted in the X509 PEM format.

  5. Please note that many Microsoft products generate certificates in PKCS#7 format.

    1. These certificates should be converted to X509 PEM format before being installed.

    2. This can be done (from another system, this command is not available at the Vectra CLI) with:

  1. Install the provided certificate using the command:

    1. The user is prompted to paste the certificate into an editor (nano) where the full certificate chain may be entered.

    2. After pasting the data, press "CTRL+o" to write the certificate chain and press enter (without changing File Name to Write) followed by "CTRL+x" to exit.

Replacing Default Private Key

If you have a desire to change the private key, or if you would like to just create a private key of a different length than the default, you can use the "certificate replace-key" command to do so. After generating a new private key, please again follow the steps in Option 1 above to request a new CSR and install the resulting certificate. This command is available in v9.1 and above.

Example:

If you still see an insecure connection while browsing the Vectra UI, please contact Vectra Support at [email protected]envelope for further assistance.

Option 2 (Customer generates both a new private key and a new certificate)

Please Note: Vectra does not recommend that customers install a separate key onto the Brain appliance due to the implicit requirement for this secure key to be transmitted electronically prior to its installation on the Brain. Instead, Vectra recommends using Option 1 above to generate a CSR and install the resulting signed certificate.

  1. Generate a new private key and a signed certificate according to your requirements. You will need to provide the Country, State, Location, Organization, Organizational Unit, and Common Name for the certificate.

    1. The certificate and key should be provided as an X509 certificate in unencrypted PEM format.

  2. Please note that many Microsoft products generate certificates in PKCS#7 format.

    1. These certificates should be converted to X509 PEM format before being installed.

  3. During certificate generation, you may wish to include the SubjectAltName field if you are wishing to access the appliance using its IP address.

  4. Install the provided certificate using the command.

    1. The user is prompted to paste the certificate into an editor (nano) where the certificate can be pasted.

      1. After pasting the data, press "CTRL+x", then "y" to write the certificate and press "Enter" to save and quit.

    2. A second nano editor window will open where the private key can be pasted.

      1. After pasting the data, press "CTRL+x", then "y" to write the certificate and press "Enter" to save and quit.

Last updated

Was this helpful?