Initialization of backup signing process

When backup is initiated, IBM QRadar performs certificate validation and signing preparation before the backup archive is created.

During this phase, the system ensures that a valid trust chain exists and that the backup can be securely signed.

Certificate validation and handling

At the start of the backup process, the system evaluates the status of the required certificates (CA and Signer).
Table 1. System behaviors for certificates state
Certificate state System behavior
Not Present Automatically generates new CA and Signer certificates.
Present and Valid Reuses existing certificates for signing.
Present but Expired Automatically rotates and regenerates certificates.

After successful validation or regeneration, the backup archive is digitally signed and a corresponding signature file is generated and store with the backup. The process ensures uninterrupted signing functionality without requiring manual intervention under normal conditions.

Certificate trust model

The backup signing process relies on a two-level certificate hierarchy.
CA Certificate
  • Act as the root of trust
  • Signs and validates the Signer certificate
  • Ensures integrity of the trust chain
  • The location is /store/backup/ssl/certs/ca
Signer Certificate
  • Digitally signs the backup file
  • Ensures that the backup has not been altered after creation
  • The location is /store/backup/ssl/certs/signer