Using your own SSL Certificate

Modified on: Thu, 3 Mar, 2022 at 8:51 AM

Many customers would like to replace our server certificates with their own certificates issued with the correct common name and using their company or commercial Certificate Authority (CA).

Note: This option is only to support SSL encryption of Transform runs using your own certificate. You will still be required to use the certificate provided by Maltego for accessing the admin portal.

There are two methods of achieving this which are both explained below.

The paths for the files that you need to overwrite are as defined in /etc/apache2/default-ssl.conf within the itdsapache docker container:

  1. /etc/ssl/private/server.crt
  2. /etc/ssl/private/server.key

You should be able to overwrite the above files in the Docker containers in order to change the certificate that is being used, however, by changing the files inside the Docker container, you will need to repeat this action every time the Docker images change when an update is released because the changes will be lost every time a new container is created.

There is a long-term solution though; ideally we would like to make use of the Docker workflow to change the certificates but also achieve additional objectives:

  1. Document what changes we are making to the Docker containers
  2. Have the changes persist between updates

Building a custom Docker image that is based on our original image will allow us to achieve this. The following example will demonstrate the changes required for the iTDS server. The example will assume that you are in a directory containing the following files:

  1. Dockerfile: new Dockerfile created
  2. itds-custom.yml: additional Docker-compose file to customize Docker setup
  3. internal_cert.crt: Your certificate you want to use with the iTDS
  4. internal_cert.key: Your certificate's key file

First we need to build a new Docker image that is based off of our image and contains the custom certificate and its key.

We can do this by creating the following Dockerfile:

USER root
COPY ./internal_cert.crt /usr/local/apache2/certificates/server.crt
COPY ./internal_cert.key /usr/local/apache2/certificates/server.key
RUN chown -R www-data:www-data /usr/local/apache2/certificates/server.*
USER www-data

This will create a new Docker image that is based off our server image, but has new certificate and its key copied from a local directory into the container.

Next we need to change our Docker-compose file to reference the local Dockerfile, rather than using our images directly. We will make changes to our compose file, whilst following the guidelines outlined here.

We can create a new Docker-compose file with the filename “itds-custom.yml”. The file should have the following contents:

version: '3'
    build: .

The above contents tells Docker to build an image using the Dockerfile from the local directory, rather than running our image directly.

We can then run the server using our new certificate with the command:

docker-compose -f itds.yml -f itds-custom.yml up -d

This will build and start a new server using the your certificate and its key for HTTPS connections.

Method 2: Temporary Solution

If rebuilding containers won’t be an option for you, you can replace the SSL certificates inside the container.

Warning: This is a temporary solution that won’t survive an update. You need to repeat these instructions in the future.

Log into the Server or VM that hosts the iTDS Docker Containers.

Prepare new certificate

Prepare a new certificate as per the requirements of your organization.

Log into the iTDS Apache container terminal

Start by obtaining the Container ID or Container Name.

docker ps

Sample output:

5d9eafbe811f ... maltego_itdsphp_1
d0b626f099e1 ... maltego_itdsapache_1
580b0af39534 ... maltego_itdsdb_1

Identify the ‘CONTAINER ID’ for the ‘itdsapache’ instance, and use the ‘exec’ argument with ‘docker’ to log into the system.

Replace ID with the one from your instance:

sudo docker exec -it d0b626f099e1 bash

Sample output:


Find the pre-installed SSL certificates:

sudo su
cd /etc/ssl/private/

Sample output:

drwx------ 1 root root 4096 Oct 19 2018 ./
drwxr-xr-x 1 root root 4096 Oct 19 2018 ../
-rw-r--r-- 1 root root 1724 Oct 19 2018 CA.crt
-rw-r--r-- 1 root root 1196 Oct 19 2018 server.crt
-rw-r--r-- 1 root root 1704 Oct 19 2018 server.key

Rename the “server.crt” and “server.key” files to backups.

mv server.crt server.crt.bck
mv server.key server.key.bck

Sample output:

drwx------ 1 root root 4096 Jul 9 07:19 ./
drwxr-xr-x 1 root root 4096 Oct 19 2018 ../
-rw-r--r-- 1 root root 1724 Oct 19 2018 CA.crt
-rw-r--r-- 1 root root 1196 Oct 19 2018 server.crt.bck
-rw-r--r-- 1 root root 1704 Oct 19 2018 server.key.bck

Exit the iTDS Apache container terminal:


Copy the custom SSL certificates to the iTDS Apache container

Use the same Docker Container ID or Container Name used previously to log into the iTDS Apache container to copy the new certificates into the container.

sudo docker cp new_ssl.crt d0b626f099e1:/etc/ssl/private/server.crt
sudo docker cp new_ssl.key d0b626f099e1:/etc/ssl/private/server.key

Restart the iTDS Apache Container.

Use the same Docker Container ID or Container Name used previously to log into the iTDS Apache container.

sudo docker restart d0b626f099e1

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.