Initialization of backup signing process
When backup is initiated, IBM QRadar performs certificate validation and signing preparation before the backup archive is created.
During this phase, the system ensures that a valid trust chain exists and that the backup can be securely signed.
Certificate validation and handling
At the start of the backup process, the system evaluates the status of the required certificates
(CA and Signer).
| Certificate state | System behavior |
|---|---|
| Not Present | Automatically generates new CA and Signer certificates. |
| Present and Valid | Reuses existing certificates for signing. |
| Present but Expired | Automatically rotates and regenerates certificates. |
After successful validation or regeneration, the backup archive is digitally signed and a corresponding signature file is generated and store with the backup. The process ensures uninterrupted signing functionality without requiring manual intervention under normal conditions.
Certificate trust model
The backup signing process relies on a two-level certificate hierarchy.
- CA Certificate
-
- Act as the root of trust
- Signs and validates the Signer certificate
- Ensures integrity of the trust chain
- The location is /store/backup/ssl/certs/ca
- Signer Certificate
-
- Digitally signs the backup file
- Ensures that the backup has not been altered after creation
- The location is /store/backup/ssl/certs/signer