This article explains the steps to recover a private keystore file if there is an accidental deletion or regeneration of the default TLS Syslog certificate or private key files.
Perform the following steps to extract the key and certificates:
- Use SSH to log in to the Data Gateway appliance as the root user.
- Log in using SSH on to the managed host, on which the files (syslog-tls.cert or syslog-tls.key) are deleted from the default folder /opt/qradar/conf/trusted_certificates.
- To list the existing certificates and keys on the keystore, use the following command:
keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore -storepass syslog-tls
- To convert the Java keystore in to p12 (pkcs) format, type the following command. Use the same password.
keytool -importkeystore -srckeystore /opt/qradar/conf/syslog-tls.keystore -storepass syslog-tls -srcalias syslog-tls -destkeystore syslog-tls.p12 -deststoretype PKCS12 -deststorepass syslog-tls -destkeypass syslog-tls
- Extract the private key from the p12 keystore.
openssl pkcs12 -in syslog-tls.p12 -nodes -nocerts -out syslog-tls.key
- Extract the certificate from the p12 keystore.
openssl pkcs12 -in syslog-tls.p12 -nokeys -out syslog-tls.cert
The private keystore file is regenerated. Once the files are recreated, they can be copied to the destination folder: /opt/qradar/conf/trusted_certificates
Alternatively, it is also possible to regenerate the certificate and key files and to import them into the Java keystore by using available scripts on the QRadar host.
Important: Do not use the following command without a option (in this case -h) as it regenerates the certificate and key.
Was this topic helpful?
26 May 2023