Skip to content

Configure SSL#

Connect TheHive using HTTPS#

We recommend using a reverse proxy to manage SSL layer; for Example, Nginx.

Reference: Configuring HTTPS servers on

server {
  listen 443 ssl http2;
  server_name thehive;

  ssl on;
  ssl_certificate       path-to/thehive-server-chained-cert.pem;
  ssl_certificate_key   path-to/thehive-server-key.pem;

  proxy_connect_timeout   600;
  proxy_send_timeout      600;
  proxy_read_timeout      600;
  send_timeout            600;
  client_max_body_size    2G;
  proxy_buffering off;
  client_header_buffer_size 8k;

  location / {
    add_header              Strict-Transport-Security "max-age=31536000; includeSubDomains";
    proxy_pass    ;
    proxy_http_version      1.1;

Client configuration#

SSL configuration might be required to connect remote services. Following parameters can be defined:

Parameter Type Description
wsConfig.ssl.keyManager.stores list Stores client certificates (see #certificate-manager )
wsConfig.ssl.trustManager.stores list Stored custom Certificate Authorities (see #certificate-manager
wsConfig.ssl.protocol string Defines a different default protocol (see #protocols)
wsConfig.ssl.enabledProtocols list List of enabled protocols (see #protocols)
wsConfig.ssl.enabledCipherSuites list List of enabled cipher suites (see #ciphers)
wsConfig.ssl.loose.acceptAnyCertificate boolean Accept any certificates true / false

Certificate manager#

Certificate manager is used to store client certificates and certificate authorities.

Use custom Certificate Authorities#

The prefered way to use custom Certificate Authorities is to use the system configuration.

If setting up a custom Certificate Authority (to connect web proxies, remote services like LPAPS server ...) is required globally in the application, the better solution consists of installing it on the OS and restarting TheHive.

Ensure the package ca-certificates-java is installed , and copy the CA certificate in the right folder. Then run dpkg-reconfigure ca-certificates and restart TheHive service.

apt-get install -y ca-certificates-java
mkdir /usr/share/ca-certificates/extra
cp mycustomcert.crt /usr/share/ca-certificates/extra
dpkg-reconfigure ca-certificates
service thehive restart

No additionnal packages is required on Fedora or RHEL. Copy the CA certificate in the right folder, run update-ca-trust and restart TheHive service.

cp mycustomcert.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust 
service thehive restart

An alternative way is to use a dedicated trust stores ; but this is NOT the prefered option. Use the trustManager key in TheHive configuration. It is used to establish a secure connection with remote host. Server certificate must be signed by a trusted certificate authority.

  wsConfig.ssl.trustManager {
    stores = [
        type = "JKS" // JKS or PEM
        path = "keystore.jks"
        password = "password1"

Client certificates#

keyManager indicates which certificate HTTP client can use to authenticate itself on remote host (when certificate based authentication is used)

  wsConfig.ssl.keyManager {
    stores = [
        type = "pkcs12" // JKS or PEM
        path = "mycert.p12"
        password = "password1"


If you want to define a different default protocol, you can set it specifically in the client:

wsConfig.ssl.protocol = "TLSv1.2"

If you want to define the list of enabled protocols, you can do so by providing a list explicitly:

wsConfig.ssl.enabledProtocols = ["TLSv1.2", "TLSv1.1", "TLSv1"]

Advanced options#


Cipher suites can be configured using wsConfig.ssl.enabledCipherSuites:

wsConfig.ssl.enabledCipherSuites = [


To debug the key manager / trust manager, set the following flags:

  wsConfig.ssl.debug = {
    ssl = true
    trustmanager = true
    keymanager = true
    sslctx = true
    handshake = true
    verbose = true
    data = true
    certpath = true