# SSL certificate installation

## Applicability

In Quadrant UX (QUX) deployments, the Vectra User Interface (UI) is served locally from the Brain appliance. In Respond UX (RUX) deployments, the Vectra UI is served from the Vectra cloud.

This article only applies to QUX deployments where the customer has the option to use their own certificates to secure the Vectra UI. For RUX deployments, the certificate for the Vectra UI is fully managed by Vectra and cannot be changed by customers. If you are unsure of your deployment type, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux).

## Introduction

By default, Vectra uses a self-signed certificate for the secure HTTP (i.e. "https\*\*:\*\*//") user interface. As a result, the certificate causes SSL warnings in most web browsers.

The Brain's SSL certificate can be replaced with a customer-provided signed certificate for encrypting user interface sessions to the Vectra UI. This certificate should be tied to the DNS hostname of the appliance.

Starting in Vectra software version 9.1, the following requirements must be adhered to:

* The certificate must adhere to SSL CTX level 2.
* RSA, DSA and DH keys shorter than 2048 bits are prohibited.
* ECC keys and certificates are supported.
* Cipher suite using MD5 for the MAC and RC4 is prohibited.
* SSLv3 is prohibited.

A new "certificate info" command was added in v9.1 to display certificate information.

Example:

```language-markup
vscli > certificate info
Issuer: C = US, ST = California, L = San Jose, O = "Vectra Networks, Inc", emailAddress = security@vectranetworks.com, CN = vectra, keyUsage = "critical, digitalSignature, keyEncipherment", extendedKeyUsage = "critical, serverAuth"
Validity
Not Before: Feb  5 21:58:57 2025 GMT
Not After : Jan 31 21:58:57 2045 GMT
Subject: C = US, ST = California, L = San Jose, O = "Vectra Networks, Inc", emailAddress = security@vectranetworks.com, CN = vectra, keyUsage = "critical, digitalSignature, keyEncipherment", extendedKeyUsage = "critical, serverAuth"
RSA Public-Key: (2048 bit)
```

Customers currently have several options regarding the installation of the certificate.

## Option 1 (Recommended)

In this option, customers use the command line interface (CLI) of the Brain to generate a CSR and then install the certificate received from the CA (Certificate Authority).

* When using this option the private key is generated on the Brain appliance.
  * It is always an RSA key and defaults to 4096 bits in length.
  * The default private key can be replaced and the key length can be chose by the customer to be 2048, 4096, or 8192 bits in length.
* A **video example** of this process is available here:
  * <https://www.youtube.com/watch?v=US-o4JrKT_E>

As mentioned in Step 4 below, at the CLI you can simply enter **"certificate request https"** and answer the prompts to complete a request.

* You do not need to construct a fully formatted command will all options specified as in the example in Step 2.

#### **Please use the following steps:**

1. Login to the CLI of your Brain appliance with the **"vectra"** user.
   1. Please see [Console access on Vectra appliances](https://docs.vectra.ai/deployment/appliance-operations/console-access-on-appliances) if you need guidance on how to reach the CLI.
   2. Please see [Default username and passwords for Vectra appliances](https://docs.vectra.ai/deployment/getting-started/default-usernames-and-passwords) if you don't know the password for the **"vectra"** user.
2. Generate a new CSR (Certificate Signing Request) using the command:

```language-markup
certificate request https --country <country-code> --state <state-name> --location <location-name> --org <oragnization-name> --orgunit <organization-unit> --cn <common-name>
```

Example:

```language-markup
certificate request https --country US --state TEXAS --location AUSTIN --org "VECTRA AI" --orgunit SUPPORT --cn mytestmachine.vectra.ai
```

1. Please note that the country field requires the two-letter country code, e.g. US for the United States of America, DE for Germany.
2. Any parameters not provided on the command line are prompted for.
3. The final prompt will be for the alternate names of this appliance.
   1. This field should be populated with a space-separated list of IP addresses and hostnames in all possible combinations, and should be within quotes.
   2. These entries will be added to the CSR in the SubjectAltName field.
4. Using the CSR generated submit it to your CA (Certificate Authority).
   1. The issued SSL certificate should be provided unencrypted in the X509 PEM format.
5. Please note that many Microsoft products generate certificates in PKCS#7 format.
   1. These certificates should be converted to X509 PEM format before being installed.
   2. This can be done (from another system, this command is not available at the Vectra CLI) with:

```language-markup
openssl pkcs7 -print_certs -in CERTNAME.p7b -out CERTNAME.pem
```

8. Install the provided certificate using the command:

```language-markup
certificate add https
```

1. 1. The user is prompted to paste the certificate into an editor (nano) where the full certificate chain may be entered.
   2. After pasting the data, press **"CTRL+o"** to write the certificate chain and press enter (without changing File Name to Write) followed by **"CTRL+x"** to exit.

#### **Replacing Default Private Key**

If you have a desire to change the private key, or if you would like to just create a private key of a different length than the default, you can use the **"certificate replace-key"** command to do so. After generating a new private key, please again follow the steps in Option 1 above to request a new CSR and install the resulting certificate. This command is available in v9.1 and above.

Example:

```language-markup
vscli > certificate replace-key
Key size in bits (2048, 4096, 8192) [4096]: 8192
Days the certificate is valid for: 15
This will replace the current private key and certificate for the HTTPS web server. This will cause the HTTPS server to have a self-signed certificate.
Are you sure you want to proceed? (y/n): y

Replace: success
```

**If you still see an insecure connection while browsing the Vectra UI, please contact Vectra Support at** [**support@vectra.ai**](mailto:support@vectra.ai) **for further assistance.**

## Option 2 (Customer generates both a new private key and a new certificate)

**Please Note:** Vectra does not recommend that customers install a separate key onto the Brain appliance due to the implicit requirement for this secure key to be transmitted electronically prior to its installation on the Brain. Instead, Vectra recommends using Option 1 above to generate a CSR and install the resulting signed certificate.

1. Generate a new private key and a signed certificate according to your requirements. You will need to provide the Country, State, Location, Organization, Organizational Unit, and Common Name for the certificate.
   1. The certificate and key should be provided as an X509 certificate in unencrypted PEM format.
2. Please note that many Microsoft products generate certificates in PKCS#7 format.
   1. These certificates should be converted to X509 PEM format before being installed.
3. During certificate generation, you may wish to include the **SubjectAltName** field if you are wishing to access the appliance using its IP address.
4. Install the provided certificate using the command.

```language-markup
certificate add https --replace-key
```

1. 1. The user is prompted to paste the certificate into an editor (nano) where the certificate can be pasted.
      1. After pasting the data, press **"CTRL+x"**, then **"y"** to write the certificate and press **"Enter"** to save and quit.
   2. A second nano editor window will open where the private key can be pasted.
      1. After pasting the data, press **"CTRL+x"**, then **"y"** to write the certificate and press **"Enter"** to save and quit.