Certificate lifecycle and configuration
This topic discusses about certificates configuration.
Certificate configuration parameter
| Certificate types | Default validity |
|---|---|
| CA certificate | 2 years (730 days) |
| Signer certificate | 1 year (365 days) |
For versions up to QRadar 7.5.0 UP15 IF01, the configuration file is at /opt/qradar/bin/backupsign_sample.properties
Starting from QRadar 7.5.0 UP15 IF02, the file is at /opt/qradar/conf/backup-config/backupsign_sample.properties
The following properties are configurable and can be modified according to requirements within the specified criteria in the backupsign_sample.properties file.
- CA_cert_rotation_period
- Signer_cert_rotation_period
- These values can be configured greater than the default validity period based on organizational security requirements.
- Values must not be configured less than the default values.
- The Signer certificate rotation period must always be shorter than the CA certificate rotation period.
Certification creation
Take backup of CA certificate, when new CA certificate is created QRadar backup signing process uses a certificate-based system to help ensure the integrity and authenticity of your backup files. The system maintains three certificate directories under /store/backup/ssl/certs that work together to sign backups and verify them during restoration.
Certificates are automatically generated during the first backup creation and are rotated upon expiration. The system sends notifications to users when a certificate is generated or rotated.
Whenever a notification is received for new certificate generation, it is recommended, the administrator must take a backup of the certificates and store them in a secure location for disaster recovery purposes. Specifically, the admin must back up the CA, signer, and truststore folders from the following path: /store/backup/ssl/certs/
Certification synchronization
- Certificate synchronization management for Data Synchronization App
- If the Data Synchronization App is installed and the consoles are paired, backup data and
digital signatures are automatically synchronized between both systems during backup generation
To ensures that backups created with any previously generated CA certificate can be successfully verified and restored, regardless of when they were created.
When the system generates a new CA certificate, it is automatically added to the /store/backup/ssl/certs/truststore folder alongside existing certificates. The system does not delete old certificates, maintains a complete certificate history and helps to help ensure compatibility with an earlier version with all backups.
The /store/backup/ssl/certs/truststore folder acts as a central repository for all CA certificates of digital signature both current and historical with timestamps that are appended to their names for easy identification.
Whenever a new certificate is added to the /store/backup/ssl/certs/truststore folder, the system automatically synchronizes it with the paired site’s/store/backup/ssl/certs/truststore folder and required symlink. This help ensure that backups can be verified seamlessly during cross-site restoration.
Note: This feature is delivered with Qradar 7.5.0 UP15 and Data Synchronization App 3.3.0. - Certificate synchronization management for cross-site
- If the Data Synchronization App is not installed, then for cross-site restore, the truststore
certificates must be manually transferred to the target site by using the following steps.To restore on a different system, complete the following steps:
- Transfer the trusted certificate used during backup generation.
- Place the trusted certificate in:
/store/backup/ssl/certs/truststoreNote: If the truststore directory does not exist, run the following command to create the directory structure of the certificates:
bash /opt/qradar/bin/backupsign_cert_import.shThen run the following command:openssl rehash /store/backup/ssl/certs/truststore
Notification on CA certification creation
A new CA certificate has been detected in the truststore. Please ensure to take backup of the certificate if not done already and store the certificate in a secure location. This certificate is required for future trust validation and secure communicationEncrypted Passphrase
| Passphrase state | System behavior |
|---|---|
| Field is empty, No certificates exist (first-time setup) | The system automatically generates a new encrypted passphrase. |
| Present and Unchanged | The existing passphrase is reused. |
| Modified or manually altered | The existing certificates become invalid. |