Installing a new SSL certificate
By default, IBM QRadar is configured with a Security Sockets Layer (SSL) certificate that is signed by an internal CA. When you log in to the Console for the first time, you are prompted with a warning message that your connection is not secure or is not private. You can replace the SSL certificate with your own self-signed certificate, a private certificate authority (CA) signed certificate, or a public CA signed certificate.
Before you begin
You must have the following information:
- The newly signed SSLCertificateFile from either your internal CA, or a public one.
- The qradar.key private key to generate the Certificate Signing Request
(CSR) file.Restriction: A private key with a passphrase is not supported.To remove the passphrase from the certificate key, type the following command:
openssl rsa -in key-with-passphrase.key -out key-without-passphrase.key
- An intermediate certificate, if used by your certificate provider. Tip: If an intermediate certificate is used, run the install-ssl-cert.sh command with the
-i
flag to install both the new certificate and the intermediate certificate. When used, it prompts for three file paths:- SSLCertificateFile
- SSLIntermediateCertificateFile
- SSLCertificateKeyFile
The file specified as SSLIntermediateCertificateFile must contain the entire certificate chain, including the root CA and intermediate CA certificates.
openssl x509 -in <cert>.der -inform der -outform pem -out <cert>.pem
Procedure
Results
If the install-ssl-cert.sh script finished with the OK: Install SSL Cert Completed message, then the certificate was installed successfully. If you answered y (yes) to the prompt to reconfigure Apache, you don't need to do anything else. Otherwise, you must deploy the full configuration. On the navigation menu ( ), click Admin, then click .