IBM Support

QRadar: How to reset certificates

How To


Certificates in QRadar can expire. There are specific steps that are required before and after you reset the certificates to ensure that services that use those certificates work correctly.


To assist customers in resetting QRadar Certificates by following the required commands.


In 7.4.3 or later, the log files that were previously displayed the progress of the certificate creation are now located in /var/log/ca.
To view the files and their progress, tail the appropriate logs located in the /var/log/ca path.
  1. Open a terminal session to the Console as root and run the following commands.
    screen [enter]
       cd /root
    tmux [enter]
       cd /root
    Note: If you skip this step and your session times out, you must reset the certificates again.
  2. Run the following command to clear the certificate signing requests. 
    Wait until all of the files are removed and re-created. Once this step is completed, run one of the following options: 
    1. Using the default QRadar CA certificate 
      sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\":\"false\"@" -i /opt/qradar/ca/conf.d/httpd.json; rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/ all --reset
    2. Using a Custom or non-QRadar CA certificate 
      Example: Verisign, GoDaddy, ...
      sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\":\"true\"@" -i /opt/qradar/ca/conf.d/httpd.json; rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/ all --reset
    In the examples, the sed command modifies the file httpd.json by changing the value of the CertSkip key from its original value. The value is set to false or true depending on the type of certificates that we intend to change. For a deployment that uses QRadar CA certificates, the value is changed to false. In a deployment that uses a Custom CA certificate, the value is set to true. This certificate is a Custom CA certificate from a verified certificate authority, and we do not want to change or replace this certificate.
    When the command completes, a restart of services is required. During the certificate creation, the keystore is updated with the new certificates. A Deploy Full Configuration is necessary after a restart of those services.
  3. Stop the services, clear out the tomcat cache and restart the services. 
    systemctl stop hostcontext tomcat hostservices; rm -rf /opt/tomcat/work/Catalina; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices tomcat hostcontext; $(locate | tail -1)
    Note: The provided command stops the application framework services, hostcontext, tomcat, and hostservices. The 'rm -rf /opt/tomcat/work/Catalina' command removes the Catalina directory where Tomcat cache is stored. The Tomcat cache is rebuilt automatically when services start, so it is safe to remove these files. 
  4. If an AppHost is connected to the deployment, stop and start the following services on the AppHost.
    ssh <apphost>
    systemctl stop hostcontext hostservices; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices hostcontext; $(locate | tail -1)
  5. To apply the changes to all appliances, you must complete a Deploy Full Configuration from the Console. For more information, see QRadar: Impact of Deploy Full Configuration on events, flows, and offenses.
    • Open the console UI by navigating to https://<ip-address>/console.
    • Log in to the QRadar console as an administrator.
    • Click the Admin tab.
    • Click Advanced > Deploy Full Configuration.
    • When prompted, click Continue.
    After the system completes the Deploy Changes, the system is ready to use those certificates.
    A list of certificates that are changed as a result of this process looks similar to the following: 


Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.5.0"}]

Document Information

Modified date:
06 December 2023