Determining whether your certificate is internally signed or custom signed
Sometimes an internal certificate authority (CA) is not considered a publicly trusted certificate where certificate chains are globally trusted. You must determine whether your internal CA is internally signed or custom signed so that you can properly configure the connection to IBM® QRadar. Then, you can obtain the correct certificate chain for the certificate and complete the connection configuration to QRadar®.
Procedure
-
On the QRadar Console, run the following
command. Replace
127.0.0.1:443
in the following example with the URL of your console.openssl s_client -showcerts -connect 127.0.0.1:443
- If the following response is returned, you are using an internally signed web certificate
from the QRadar Root CA.
[root@qradar-742-console ~]# openssl s_client -showcerts -connect 127.0.0.1:443 CONNECTED(00000003) depth=2 CN = QRadar Local Root CA verify return:1 depth=1 CN = QRadar Local CA verify return:1 depth=0 CN = qradar-742-console.example.ibm.com verify return:1 — Certificate chain 0 s:/CN=qradar-742-console.example.ibm.com i:/CN=QRadar Local CA
Go to step 4.
- If the output does not indicate
QRadar Local CA
, such as the following example, you are using a custom signed certificate.[root@qradar proxy_app-cp4s]# openssl s_client -showcerts -connect 127.0.0.1:443 CONNECTED(00000003) depth=1 DC = com, DC = middletown-ri, CN = middletown-ri-AD-SECURITY-CA verify return:1 depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradar.example.com verify return:1 — Certificate chain 0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradar.example.com i:/DC=com/DC=middletown-ri/CN=middletown-ri-AD-SECURITY-CA
Go to step 5.
- If you're using the QRadar Local CA,
complete the following steps to obtain the Root Certificate, Intermediate Certificate, and Apache
Certificate, and then add them to the platform.
- Download the Root Certificate from
http://<qradar_host_ip>:9381/vault-qrd_ca.pem
. - Download the Intermediate Certificate from
http://<qradar_host_ip>:9381/vault-qrd_ca_int.pem
. - Download the Apache Certificate from the following directory on your QRadar console:
/etc/httpd/conf/certs/cert.cert. Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
- Go to Menu > Connections > QRadar Proxy.
- In the IBM QRadar Connection Certificate field, copy the
certificates in the following order:
- Apache certificate
- Intermediate certificate
- Root certificate
- Download the Root Certificate from
- If the certificate is a custom signed certificate that is not the QRadar Local CA, complete the following steps:
- Obtain the Apache Certificate from the
/etc/httpd/conf/certs/cert.cert file. Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
- Review the output in the
openssl
command in step 1.The Root CA typically doesn't sign the certificates, which results in intermediary certificate authorities. The following example shows a typical scenario:[root@qradarproxy NO_IP_CERT]# openssl s_client -showcerts -connect 127.0.0.1:443 CONNECTED(00000003) depth=3 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-ROOTCA-CA verify return:1 depth=2 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB1CA-CA verify return:1 depth=1 DC = com, DC = ibm, DC = us, DC = qradar, CN = qradar-QRADAR-SUB2CA-CA verify return:1 depth=0 C = US, ST = Isle of Rhode, L = Middletown, O = IBM, OU = Security, CN = qradarproxy.example.com verify return:1 — Certificate chain 0 s:/C=US/ST=Isle of Rhode/L=Middletown/O=IBM/OU=Security/CN=qradarproxy.example.com i:/DC=com/DC=ibm/DC=us/DC=qradar/CN=qradar-QRADAR-SUB2CA-CA ----BEGIN CERTIFICATE----{{}}
In the example, you can see the following certificate authorities and the associated chain:- qradar-QRADAR-SUB2CA-CA --> qradar-QRADAR-SUB1CA-CA --> qradar-QRADAR-ROOTCA-CA
- qradar-QRADAR-SUB2CA-CA signed the Apache Certificate
- Find your Root and Intermediate Certificates in the /etc/pki/ca-trust/source/anchors/<file_name>.crt file. You can also find your Root and Intermediate Certificates from their source.
- Go to Menu > Connections > QRadar Proxy.
- In the IBM QRadar Certificate field, copy your certificates in
the following order:
- Apache Certificate
- qradar-QRADAR-SUB2CA-CA certificate
- qradar-QRADAR-SUB1CA-CA certificate
- qradar-QRADAR-ROOTCA-CA certificate
Tip: For more information about using the Apache certificate in the certificate chain, see https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2.
- Obtain the Apache Certificate from the
/etc/httpd/conf/certs/cert.cert file.