IBM Support

QRadar: How to prepare certificates for SAML integration

How To


This article provides the steps to prepare certificates to integrate QRadar® with SAML authentication.


QRadar administrators are able to integrate SAML authentication.


SAML authentication has strict requirements on certificates that are use for integration. Administrator must perform the following steps on Console's SSH as root.


  1. Verify the certificate and private key are matched pair.
    For a perfect pair, their modulus md5 hashes must match:
    openssl rsa -modulus -noout -in <private_key> | openssl md5
    openssl x509 -modulus -noout -in <public_cert> | openssl md5
    [root@qradar newcerts]# openssl rsa -modulus -noout -in qradar.key | openssl md5
    [root@qradar newcerts]# openssl x509 -modulus -noout -in qradar.cert | openssl md5
  2. Verify that the certificate has "Key Encipherment" feature.
    Run the following command:
    openssl x509 -noout -text -in <public_cert>
    Look for session "X509v3 extensions" -> "X509v3 Key Usage". It must have "Key Encipherment" feature.
    Key Encipherment

    If not, ask PKI team to reissue a new certificate with "Key Encipherment" feature. Not having "Key Encipherment" feature, QRadar can produce the following error:
  3. Verify that the CRL URI is accessible from the QRadar Console.
    Use the same command as in step 2. Look for session "X509v3 extensions" -> "X509v3 CRL Distribution Points"
        X509v3 CRL Distribution Points:
            Full Name:
    Check that the console can access the URL.
    If the URI is not accessible, QRadar can generate the following error:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] Caused by:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CRLException: Error in generating crl from URL
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] Caused by:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] Connection timed out (Connection timed out)
  4. Convert the private key to DER-encoded PKCS8 format.
    To import the private key, it must be in DER-encoded PKCS8 format.
    openssl pkcs8 -topk8 -inform PEM -outform DER -in <private_key> -out <private_key_DER> -nocrypt
    [root@qradar newcerts]# openssl pkcs8 -topk8 -inform PEM -outform DER -in qradar.key -out qradar.DER.key -nocrypt
    Note: Importing private key not in DER-encoded PKCS8 format can produce the following error:
    qr742-3199-11153 tomcat[31103]: could not DER encode: algid parse error, not a sequence
  5. Verify the full chain of certificates.
    Use the following command to verify the chain of certificate is valid.
    openssl verify -CAfile <rootCA_cert> -untrusted <intermediateCA_Cert> <public_cert>
  6. Combine certificates. SAML import certificate interface has only to two fields for CA certificates.
    If the chain has more than one intermediate certificates, they must be combined into one file.
    cat intermediateCA_2.cert intermediateCA.cert > intCA_bundle.cert

The certificate saves in the user interface without an error. If you are unable to save your certificate after you complete the steps in this technical note, contact QRadar Support for assistance.

Additional Information


Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
03 April 2023