Certificate lifecycle and configuration

This topic discusses about certificates configuration.

Certificate configuration parameter

The following table shows default validity for different certificate types:
Table 1. Validity for certificates
Certificate types Default validity
CA certificate 2 years (730 days)
Signer certificate 1 year (365 days)

For versions up to QRadar 7.5.0 UP15 IF01, the configuration file is at /opt/qradar/bin/backupsign_sample.properties

Starting from QRadar 7.5.0 UP15 IF02, the file is at /opt/qradar/conf/backup-config/backupsign_sample.properties

Note: The system maintains default configurations that are required for certificate creation and lifecycle management such as key algorithm and key size in the backupsign_config file. These parameters must not be modified.

The following properties are configurable and can be modified according to requirements within the specified criteria in the backupsign_sample.properties file.

  • CA_cert_rotation_period
  • Signer_cert_rotation_period
Important:
  • These values can be configured greater than the default validity period based on organizational security requirements.
  • Values must not be configured less than the default values.
  • The Signer certificate rotation period must always be shorter than the CA certificate rotation period.

Certification creation

Take backup of CA certificate, when new CA certificate is created QRadar backup signing process uses a certificate-based system to help ensure the integrity and authenticity of your backup files. The system maintains three certificate directories under /store/backup/ssl/certs that work together to sign backups and verify them during restoration.

Certificates are automatically generated during the first backup creation and are rotated upon expiration. The system sends notifications to users when a certificate is generated or rotated.

Whenever a notification is received for new certificate generation, it is recommended, the administrator must take a backup of the certificates and store them in a secure location for disaster recovery purposes. Specifically, the admin must back up the CA, signer, and truststore folders from the following path: /store/backup/ssl/certs/

Certification synchronization

Certificate synchronization management for Data Synchronization App
If the Data Synchronization App is installed and the consoles are paired, backup data and digital signatures are automatically synchronized between both systems during backup generation

To ensures that backups created with any previously generated CA certificate can be successfully verified and restored, regardless of when they were created.

When the system generates a new CA certificate, it is automatically added to the /store/backup/ssl/certs/truststore folder alongside existing certificates. The system does not delete old certificates, maintains a complete certificate history and helps to help ensure compatibility with an earlier version with all backups.

The /store/backup/ssl/certs/truststore folder acts as a central repository for all CA certificates of digital signature both current and historical with timestamps that are appended to their names for easy identification.

Whenever a new certificate is added to the /store/backup/ssl/certs/truststore folder, the system automatically synchronizes it with the paired site’s/store/backup/ssl/certs/truststore folder and required symlink. This help ensure that backups can be verified seamlessly during cross-site restoration.

Note: This feature is delivered with Qradar 7.5.0 UP15 and Data Synchronization App 3.3.0.
Certificate synchronization management for cross-site
If the Data Synchronization App is not installed, then for cross-site restore, the truststore certificates must be manually transferred to the target site by using the following steps.
To restore on a different system, complete the following steps:
  1. Transfer the trusted certificate used during backup generation.
  2. Place the trusted certificate in: /store/backup/ssl/certs/truststore
    Note: If the truststore directory does not exist, run the following command to create the directory structure of the certificates:
    bash /opt/qradar/bin/backupsign_cert_import.sh
    Then run the following command:
    openssl rehash /store/backup/ssl/certs/truststore

Notification on CA certification creation

When a new CA certificate is generated, the following notification is generated and visible under the Notification center in the QRadar.
A new CA certificate has been detected in the truststore. Please ensure to take backup of the certificate if not done already and store the certificate in a secure location. This certificate is required for future trust validation and secure communication

Encrypted Passphrase

The encrypted passphrase that is used for certificate generation and signing is maintained in /opt/qradar/bin/backupsign_sample.properties file.
Table 2. System behavior for passphrase state
Passphrase state System behavior
Field is empty, No certificates exist (first-time setup) The system automatically generates a new encrypted passphrase.
Present and Unchanged The existing passphrase is reused.
Modified or manually altered The existing certificates become invalid.
If the passphrase is manually modified or tempered, the certificates are unusable. In such case, either restore the password or you must remove the existing passphrase, CA and Signer certificates and keys. During the next backup initialization, a new encrypted passphrase is generated (if required), New certificates are automatically generated and backup signing resumes by using the new trust chain.
Important: The passphrase and certificates are cryptographically linked. Any modification invalidates previously generated certificates.