As you are building content, specifically packages, for Tanium, you may find you need to add one or more files related to the package.  Often times you want to have TLS to secure those and thus download them via HTTPS.  If you’re like me your organization has it’s own certificate authority and you sign your own website certificates.  As such you must give Tanium your CA certificate in order to validate the any of your webservers signed with this custom CA.  This is extremely easy to do…

Certificate Chain

Tanium stores the authorized certificate chain within a subdirectory of the Tanium Server…  \Program Files\Tanium\Tanium Server\Apache24\conf\installedcacert.crt

Tanium reserves the right to change this file as they see fit… thus we must copy this file to a new location and add the text version of our companies CA into this file and save it to a new location. 

For my “company”, Moran IT… Our public certificate looks like this in text form:

Moran Certificate Authority
==========================
—–BEGIN CERTIFICATE—–
MIIGDzCCA/egAwIBAgIJANMncJKfhIjFMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQXJrYW5zYXMxEzARBgNVBAcMClNwcmluZ2RhbGUx
FDASBgNVBAoMC01vcmFuLCBJbmMuMQswCQYDVQQLDAJJVDEkMCIGA1UEAwwbTW9y
YW4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYJKoZIhvcNAQkBFg5jYUBtb3Jh
bml0LmNvbTAeFw0xNDA3MTAxOTUxMjhaFw0yNDA3MDcxOTUxMjhaMIGdMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQXJrYW5zYXMxEzARBgNVBAcMClNwcmluZ2RhbGUx
FDASBgNVBAoMC01vcmFuLCBJbmMuMQswCQYDVQQLDAJJVDEkMCIGA1UEAwwbTW9y
YW4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYJKoZIhvcNAQkBFg5jYUBtb3Jh
bml0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOnkgbJVkJLt
+nwB+sUK0nnpOq0LiILir9utUTXh0XegrKDfUiEBFtJ2JbFEPWmwjhrwZGn/HHSw
S+92VD39pL8a5+iBfI9g7sK+3JxcPYKMUOzgePGSrEwVo8OY3s9lmhfoUxCEVgVF
/WPjKJMmgzRKL8SSy7ZlblylAr48C9tIIBUErk5F8IfceT27TfEoBosKQjexv6Kq
oX5eJUx6ry8AXbqPi0kmPIqQffHGydlyLycDa3SAfOh8PbLAdH3K0IIpQKsxBICo
vUIpnq4hrAqGRXiLNmj0C0jb0Fxa+d+kUZIeGY3aNUHfihVKj2v/Y09+88L8ORiL
AtZn5Tfr0mOhKY4s9nWv8vHGuuzFiMbS1evrmxq8/2cUnA9mIb+ZowQ7fAgHzjaV
UTnLqdb+QZZRzEMemKSj4rf6AjidXzFjg2tdXcx2j5KZLKvFmUCQXsKkS3SG24pL
k1hVauJJNyUvkgp1mho9hK1INAA6JnEwHehY9i147AsmjqepoMDT/zTD2Y3UPnwC
3TNUpyVFlVaG0tKyzgWjKttVbvO5rSzwrzPNBWdFEWnVpuWiNp3FTWFQbA1NqwUq
k7efD9VM1lskfgyRqJ56jcQRaCHV7W0ncceVdlkrcvDn05OzDYfxQurU/+JE5vNc
Iko4V2fcmIITDUNvzadicLgqT2uiuP8xAgMBAAGjUDBOMB0GA1UdDgQWBBTBL5Gs
OMqI/FDxr2mYt0GSpAQpDjAfBgNVHSMEGDAWgBTBL5GsOMqI/FDxr2mYt0GSpAQp
DjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQCY8KG201hgc4IXAv/w
4gwkXygUHU6hnWSt1W5BFnLrHBOR5JWA9AKa2vc1SXUhgC03oVcxAZBDj6UKycC0
787Qf2hdjzBSrUw56DEcIrA3A/ciq+YE1/GNpGmcgCEai546zHGBvEFdCcHXsFZu
OjJSZvvggw+1URl8qN8SIz40DA/MGALHBcbNBs1amqlgeSNV5t7zVSfE4v0DNPf+
HE1x+dylvAJuOZAmTeuBNzL9vsTGXw7Mymw4nJqNvDccBJLgPFwhRZcEa1fUqihU
+zMtOSlBs3YO2Wa4qczLorn/SDO1BFLZD+R+W1nUYy9gBi9owWQqdWRv5nB/i1Ps
X3/vB887TbK5/mlLOVLUKupdFE24/g32uElSsX7pLcPpQSiDZd+A6zEgWLaX6j7s
P0PdekimFLrbPfRKXB1v9/hn+z5H4SzUyGlVVWl5Epd32qx5DSPXIwfSrQ1iYYL3
htzx3K6yIdKDWX9Pe/BSSt9Oz78g+i9N66yGY3fE0I54w22Pbwq0dt0UnhKksZJP
SwWzveaqWXejtTUwHf1OYd/IikaKLcNk4cRk5WZvDcd6v29q09wdLYp9URiZ1/bR
pVrfdyeLWNELyLHTgAgbYSUUP3SloFFf9RI5BZgrv+epI+cQRtS0xsXKJnYWVJP0
QcB0/FvjhuWyVWS1u0qRtVLhLg==
—–END CERTIFICATE—–

The first two lines are just a marker… simply copy/paste the above orange text into the installedcacert.crt file and save it as \Program Files\Tanium\Tanium Server\Apache24\conf\mit-installedcacert.crt

If you have any issues getting a text version of your CA certificate… Read up on reformatting a certificate:  https://kb.tanium.com/Certificate_Management#Reformatting_a_Signed_Certificate

Modify Registry and Restart Services

Now we need to tell Tanium where our newly modified CA chain file is.  Browse to HKLM\Software\Wow6432Node\Tanium\Tanium Server     And edit the TrustedCertPath variable by adding a “mit-“ to the beginning of the filename.

Now we just need to restart the Tanium Server and Apache services to have our new certificate authority chain load.

Conclusion

The topic I just covered is detailed in the Troubleshooting_Packages kb article over in the Tanium KB, but I find a personal walkthrough can be helpful.

If you are using any packages that download files from files.danielheth.com, you will need to copy the above orange text into your installedcacert.crt file to allow that download to happen properly.  Otherwise you will always receive the “SSL cannot be verified…” error.

One last thing as well, you will likely need to add files.danielheth.com to your whitelisted URLs.  This can be done within the Console->Administration->Whitelisted URLs    then “Add New URL Expression as follows: