Certificates

In order to connect to the Resilient platform, if the platform does not have a trusted TLS certificate, you must provide the server’s certificate in a file (such as “cacerts.pem”). The quickest way to do this is to use either openssl or the Java keytool command line utilities.

Using openssl to create the cacerts.pem file (using Linux or Mac OS):

openssl s_client -connect SERVER:443 -showcerts -tls1 < /dev/null > cacerts.pem 2> /dev/null

Using keytool to create the cacerts.pem file (Linux, Mac OS or Windows):

keytool -printcert -rfc -sslserver SERVER:443 > cacerts.pem

When connecting to a Resilient platform with the Python libraries, the hostname you specify must match exactly the name in the server certificate. If there is a mismatch, the permanent solution is to either change your DNS server or change the server certificate so it matches. It is also possible to modify your hosts file temporarily, but that is not a permanent solution.

Configuration File Settings

When using the Resilient Python API modules, your configuration file (app.config) typically contains this section:

# If your Resilient server uses a self-signed TLS certificate, or some
# other certificate that is not automatically trusted by your machine,
# you need to explicitly tell the Python scripts that it should be trusted.
# To explicitly trust a site, download its certificate to a file, e.g:
#    mkdir -p ~/resilient/
#    openssl s_client -connect resilient.example.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/resilient/cert.cer
# then specify the file (remove the '#' from the line below):
#cafile=

Set the value of ‘cafile’ to the full path to your certificate file. For example:

cafile=/home/integration/.resilient/cacerts.pem

Sometimes you want to completely disable certificate verification. This is possible by setting:

cafile=false

Intermediate Certificates

If the server has a CA-issued certificate, it might not contain the intermediate at all. This can cause the connection from Python to fail, because Python requests do not automatically resolve the full certificate chain.

The cert-chain-resolver.py Python script here can often fetch these intermediate certificates, using the AIA (Authority Information Access) information that is embedded within the certs.

$ openssl s_client -connect google.com:443 -showcerts -tls1 < /dev/null | openssl x509 > SERVER.pem
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE

$ python cert-chain-resolver.py -i SERVER.pem -o INTERMEDIATE.pem
0: *.google.com
1: Google Internet Authority G2
1 certificate(s) found.

$ openssl x509 -text < INTERMEDIATE.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:00:21:25:88:b0:fa:59:a7:77:ef:05:7b:66:27:df
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Validity
            Not Before: May 22 11:32:37 2017 GMT
            Not After : Dec 31 23:59:59 2018 GMT
        Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
        (etc)