Determining whether your certificate is internally signed or custom signed

Sometimes an internal certificate authority (CA) is not considered a publicly trusted certificate where certificate chains are globally trusted. You must determine whether your internal CA is internally signed or custom signed so that you can properly configure the connection to IBM® QRadar. Then, you can obtain the correct certificate chain for the certificate and complete the connection configuration to QRadar®.

Procedure

  1. On the QRadar Console, run the following command. Replace 127.0.0.1:443 in the following example with the URL of your console.
    openssl s_client -showcerts -connect 127.0.0.1:443
  2. If the following response is returned, you are using an internally signed web certificate from the QRadar Root CA.
    [root@qradar-742-console ~]# openssl s_client -showcerts -connect 127.0.0.1:443
    CONNECTED(00000003)
    depth=2 CN = QRadar Local Root CA
    verify return:1
     depth=1 CN = QRadar Local CA 
    verify return:1
     depth=0 CN = qradar-742-console.example.ibm.com 
    verify return:1
    —
    Certificate chain
    0 s:/CN=qradar-742-console.example.ibm.com
     i:/CN=QRadar Local CA 

    Go to step 4.

  3. If the output does not indicate QRadar Local CA, such as the following example, you are using a custom signed certificate.
    [root@qradar proxy_app-cp4s]# openssl s_client -showcerts -connect 127.0.0.1:443
    CONNECTED(00000003)
    depth=1 DC = com, DC = middletown-ri, CN = middletown-ri-AD-SECURITY-CA
    verify return:1
    depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradar.example.com
    verify return:1
    —
    Certificate chain
     0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradar.example.com
       i:/DC=com/DC=middletown-ri/CN=middletown-ri-AD-SECURITY-CA
    

    Go to step 5.

  4. If you're using the QRadar Local CA, complete the following steps to obtain the Root Certificate, Intermediate Certificate, and Apache Certificate, and then add them to the platform.
    1. Download the Root Certificate from http://<qradar_host_ip>:9381/vault-qrd_ca.pem.
    2. Download the Intermediate Certificate from http://<qradar_host_ip>:9381/vault-qrd_ca_int.pem.
    3. Download the Apache Certificate from the following directory on your QRadar console: /etc/httpd/conf/certs/cert.cert.
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
    4. Go to Menu > Connections > QRadar Proxy.
    5. In the IBM QRadar Connection Certificate field, copy the certificates in the following order:
      1. Apache certificate
      2. Intermediate certificate
      3. Root certificate
  5. If the certificate is a custom signed certificate that is not the QRadar Local CA, complete the following steps:
    1. Obtain the Apache Certificate from the /etc/httpd/conf/certs/cert.cert file.
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
    2. Review the output in the openssl command in step 1.
      The Root CA typically doesn't sign the certificates, which results in intermediary certificate authorities. The following example shows a typical scenario:
      [root@qradarproxy NO_IP_CERT]# openssl s_client -showcerts -connect 127.0.0.1:443
      CONNECTED(00000003)
      depth=3 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-ROOTCA-CA
      verify return:1
      depth=2 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB1CA-CA
      verify return:1
      depth=1 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB2CA-CA
      verify return:1
      depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradarproxy.example.com
      verify return:1
      —
      Certificate chain
       0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradarproxy.example.com
         i:/DC=com/DC=ibm/DC=us/DC=qradar/CN=qradar-QRADAR-SUB2CA-CA
      ----BEGIN CERTIFICATE----{{}}
      In the example, you can see the following certificate authorities and the associated chain:
      • qradar-QRADAR-SUB2CA-CA --> qradar-QRADAR-SUB1CA-CA --> qradar-QRADAR-ROOTCA-CA
      • qradar-QRADAR-SUB2CA-CA signed the Apache Certificate
    3. Find your Root and Intermediate Certificates in the /etc/pki/ca-trust/source/anchors/<file_name>.crt file. You can also find your Root and Intermediate Certificates from their source.
    4. Go to Menu > Connections > QRadar Proxy.
    5. In the IBM QRadar Certificate field, copy your certificates in the following order:
      1. Apache Certificate
      2. qradar-QRADAR-SUB2CA-CA certificate
      3. qradar-QRADAR-SUB1CA-CA certificate
      4. qradar-QRADAR-ROOTCA-CA certificate
      Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.