Install private CA certificates

If your organization uses an internal Certificate Authority (CA) to sign certificates on servers hosting your internal services, you need to install a private CA certificate on your orchestrator’s virtual machine. This allows Rapid7 plugins to connect to your organization’s secure internal sites.

CA certificates are mapped from the host machine into running plugin containers. An interval timer proactively clones the host's CA certificate directory and bind mounts it directly into the plugin container. Certificates are converted to .crt format.

Convert certificate to PEM (base64) format

In order to import a CA certificate or a CA certificate chain into an orchestrator, you will need to convert the file to PEM .pem (base64) format.

Certificate format

If your file is already in PEM format, skip this section and begin installing your CA certificate.

To convert a .p7b file to .pem, run the following command: $ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

To convert a .der (binary) file to .pem, run the following command: $ openssl x509 -inform der -in certificate.cer -out certificate.pem

Install a private CA certificate

You will need root access on your orchestrator’s virtual machine to install your CA certificate.

To install a private CA certificate:

Open a terminal window.
Check the hash sum of the main CA bundle. This returns the hashsum and address of the main CA bundle. You will check the updated hash against this value later.
- For RHEL, run md5sum /etc/pki/tls/certs/ca-bundle.crt
- For Ubuntu, run md5sum /etc/ssl/certs/ca-certificates.crt
Rename the certificate file to use the .crt extension if the file is currently in .pem format. To do this, run mv myCAroot.pem myCAroot.crt.
Copy your CA root certificate.
- For RHEL, run cp myCAroot.crt /etc/pki/ca-trust/source/anchors
- For Ubuntu, run cp myCAroot.crt /usr/local/share/ca-certificates
Update the trust chain.
- For RHEL, run sudo update-ca-trust
- For Ubuntu, run sudo update-ca-certificates
Verify the main CA bundled was updated. If the bundle updated successfully, it will return a different hash than the value in the first md5sum command.
- For RHEL, run md5sum /etc/pki/tls/certs/ca-bundle.crt
- For Ubuntu, run md5sum /etc/ssl/certs/ca-certificates.crt

Enable CA bundle mirroring in your orchestrator configuration file

After installing your private CA certificates, enable CA bundle mirroring for your orchestrator:

Connect to your orchestrator via SSH or virtual console and run orch-config. This opens the configuration file in the vim text editor.
Enter edit mode by typing i. Remove the hash # marks at the beginning of the KOMAND_CA_CERT_MIRROR_DIR=/opt/rapid7/orchestrator/ca-cert-mirror and KOMAND_CA_CERT_MIRROR_ENABLED=true lines. Save the changes by pressing the esc button, then typing :wq!.
Stop the orchestrator by running the command orch-stop.
Clear out any old plugin containers by running sudo docker ps -aq | xargs sudo docker rm -f
Restart the orchestrator with the command orch-start.

Did this page help you?

Setup and Deploy an Orchestrator

Deploying in AWS or Azure with RHEL8

Setup and Deploy an Orchestrator

Configure an Orchestrator