Determining whether your certificate is internally signed or custom signed

Sometimes an internal certificate authority (CA) is not considered a publicly trusted certificate where certificate chains are globally trusted. You must determine whether your internal CA is internally signed or custom signed so that you can properly configure IBM® QRadar® Proxy. Then, you can obtain the correct certificate chain for the certificate and complete the connection configuration to IBM QRadar.

1. On the QRadar Console, run the following command. Replace 127.0.0.1:443 in the following example with the URL of your console.

   openssl s_client -showcerts -connect 127.0.0.1:443

2. If the following response is returned, you are using an internally signed web certificate from the QRadar Root CA.

   CONNECTED(00000003)
   depth=2 CN = QRadar Local Root CA
   verify return:1
   depth=1 CN = QRadar Local CA
   verify return:1
   depth=0 CN = qradar-742-console.example.ibm.com
   verify return:1
   —
   Certificate chain
   0 s:/CN=qradar-742-console.example.ibm.com
   i:/CN=QRadar Local CA

   Go to step 4.

3. If the output does not indicate QRadar Local CA, such as the following example, you are using a custom signed certificate.

   CONNECTED(00000003)
   depth=1 DC = com, DC = middletown-ri, CN = middletown-ri-AD-SECURITY-CA
   verify return:1
   depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradar.example.com
   verify return:1
   —
   Certificate chain
    0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradar.example.com
      i:/DC=com/DC=middletown-ri/CN=middletown-ri-AD-SECURITY-CA
   

   Go to step 5.

4. If you're using the QRadar Local CA, complete the following steps to obtain the Root Certificate, Intermediate Certificate, and Apache Certificate, and then add them to QRadar Proxy.
   1. Download the Root Certificate from http://<qradar_host_IP_address>:9381/vault-qrd_ca.pem.
   2. Download the Intermediate Certificate from http://<qradar_host_IP_address>:9381/vault-qrd_ca_int.pem.
   3. Download the Apache Certificate from the following directory on your QRadar console: /etc/httpd/conf/certs/cert.cert.
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
   4. From the QRadar Suite Software home page, go to Menu > Connections > QRadar Proxy.
   5. In the IBM QRadar Certificate field, copy the certificates in the following order:
      1. Apache certificate
      2. Intermediate certificate
      3. Root certificate
5. If the certificate is a custom signed certificate that is not the QRadar Local CA, complete the following steps:
   1. Obtain the Apache Certificate from the /etc/httpd/conf/certs/cert.cert file.
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
   2. Review the output in the openssl command in step 1.
      The Root CA typically doesn't sign the certificates, which results in intermediary certificate authorities. The following example shows a typical scenario:

      CONNECTED(00000003)
      depth=3 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-ROOTCA-CA
      verify return:1
      depth=2 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB1CA-CA
      verify return:1
      depth=1 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB2CA-CA
      verify return:1
      depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradarproxy.example.com
      verify return:1
      —
      Certificate chain
       0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradarproxy.example.com
         i:/DC=com/DC=ibm/DC=us/DC=qradar/CN=qradar-QRADAR-SUB2CA-CA
      ----BEGIN CERTIFICATE----{{}}

      In the example, you can see the following certificate authorities and the associated chain:

      • qradar-QRADAR-SUB2CA-CA --> qradar-QRADAR-SUB1CA-CA --> qradar-QRADAR-ROOTCA-CA
      • qradar-QRADAR-SUB2CA-CA signed the Apache Certificate
   3. Find your Root and Intermediate Certificates in the /etc/pki/ca-trust/source/anchors/<file_name>.crt file. You can also find your Root and Intermediate Certificates from their source.
   4. From the IBM Security QRadar Suite Software home page, go to Menu > Connections > QRadar Proxy.
   5. In the IBM QRadar Certificate field, copy the certificates that you found within the file identified in c) in the following order:
      1. Apache Certificate
      2. qradar-QRADAR-SUB2CA-CA certificate
      3. qradar-QRADAR-SUB1CA-CA certificate
      4. qradar-QRADAR-ROOTCA-CA certificate
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.