IBM Support

WinCollect: Certificates modifications required for WinCollect on NAT on both sides deployments



This article describes that Managed Hosts inside the same NAT group have no problems talking to the console. Instead, Managed Hosts in different NAT groups find there is a problem as they can't find a SAN that matches the public IP.

Resolving The Problem

It is not generally best practice to include multiple IP addresses in the list of SAN but it is possible.

Create new certificate
  1. Download the following files.
  2. Make the following edits to those files:
    • Edit ca.cfg to include the internal IP address of the Console
    • Edit to replace .cer extension with .der extension
  3. Copy these scripts to your Console.
  4. Run the following commands:
    ./ ./ "NATCert" "IP:,IP:,DNS:qavm-3-12.q1labs.lab" #this should include the public IP, private IP, the FQDN, and any other domain names the customer needs for other purposes. cp ca/root-ca/root-ca.crt /etc/pki/ca-trust/source/anchors/root-ca.crt ./ update-ca-trust /opt/qradar/support/ -p /etc/pki/ca-trust/source/anchors/root-ca.crt -r /etc/pki/ca-trust/source/anchors /opt/qradar/support/ -C update-ca-trust
Install the new Certificate
  1. Follow the steps here to install a new SSL certificate.
Agents connected to the MHs on different NAT groups are now able to talk to the Console without getting errors from the trust manager.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 September 2022