Skip to content

SSL Configuration#

Connect TheHive using HTTPS#

It is recommended to set up a reverse proxy, such as Nginx, to manage the SSL layer for TheHive.

For detailed instructions on configuring HTTPS servers with Nginx, refer to the Nginx documentation

server {
  listen 443 ssl http2;
  server_name thehive;

  ssl on;
  ssl_certificate       /path-to/thehive-server-chained-cert.pem;
  ssl_certificate_key   /path-to/thehive-server-key.pem;

  proxy_connect_timeout   600;
  proxy_send_timeout      600;
  proxy_read_timeout      600;
  send_timeout            600;
  client_max_body_size    2G;
  proxy_buffering off;
  client_header_buffer_size 8k;

  location / {
    add_header              Strict-Transport-Security "max-age=31536000; includeSubDomains";
    proxy_pass    ;
    proxy_http_version      1.1;

Client Configuration#

SSL configuration settings may be necessary to connect remote services. Below are the parameters that can be defined:

Parameter Type Description
wsConfig.ssl.keyManager.stores list Stores client certificates (see #certificate-manager )
wsConfig.ssl.trustManager.stores list Stores custom Certificate Authorities (see #certificate-manager
wsConfig.ssl.protocol string Defines a different default protocol (see #protocols)
wsConfig.ssl.enabledProtocols list List of enabled protocols (see #protocols)
wsConfig.ssl.enabledCipherSuites list List of enabled cipher suites (see #ciphers)
wsConfig.ssl.loose.acceptAnyCertificate boolean Accept any certificates true / false


Certificate Manager#

The certificate manager is used to store client certificates and certificate authorities.


Using Custom Certificate Authorities#

The preferred method for using custom Certificate Authorities is to use the system configuration.

Ensure the ca-certificates-java package is installed, copy the CA certificate to the appropriate folder, then reconfigure certificates and restart TheHive service.

apt-get install -y ca-certificates-java
mkdir /usr/share/ca-certificates/extra
cp mycustomcert.crt /usr/share/ca-certificates/extra
dpkg-reconfigure ca-certificates
service thehive restart

Copy the CA certificate to the correct folder, update CA trust, and restart TheHive service.

cp mycustomcert.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust 
service thehive restart

An alternative approach is to use dedicated trust stores, although this is not the recommended option. Use the trustManager key in TheHive configuration to establish secure connections with remote hosts. Ensure that server certificates are signed by trusted certificate authorities.

  wsConfig.ssl.trustManager {
    stores = [
        type = "JKS" // JKS or PEM
        path = "keystore.jks"
        password = "password1"


Client Certificates#

The keyManager parameter specifies which certificate the HTTP client can use for authentication on remote hosts when certificate-based authentication is required.

  wsConfig.ssl.keyManager {
    stores = [
        type = "pkcs12" // JKS or PEM
        path = "mycert.p12"
        password = "password1"



To define a different default protocol use the following configuration:

wsConfig.ssl.protocol = "TLSv1.2"

To define a list of enabled protocols, use the following configuration:

wsConfig.ssl.enabledProtocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]


Advanced Options#


Configure cipher suites using wsConfig.ssl.enabledCipherSuites:

wsConfig.ssl.enabledCipherSuites = [



Enable debugging flags to troubleshoot key managers and trust managers:

  wsConfig.ssl.debug = {
    ssl = true
    trustmanager = true
    keymanager = true
    sslctx = true
    handshake = true
    verbose = true
    data = true
    certpath = true