How To
Summary
This article walks you through the process of checking, installing, removing, and verifying certificate enablement. Additionally, the article includes steps for installing with certificate verification disabled, providing clear guidance to ensure secure and reliable communication between EDR agents and hive server.
These EDR agent versions introduce SSL certificate verification:
• Windows v3.12.5
• Linux v0.91.0
• macOS v1.2.0
Objective
Learn how to check, install, remove, and manage certificate verification for secure EDR agent-server communication.
Steps
Certificate check
This section explains how to check if the certificates installed on the endpoint allow secure connections with certificate verification, based on the endpoint's OS.
- Windows
Assuming an agent is already installed and registered, run the following command from an administrator command prompt:
- C:\Program Files\ReaQta\keeper.exe --verify-check
Alternatively, using local utilities in PowerShell:- Invoke-WebRequest -Uri "https://<host>:<port>" -UseBasicParsing
Where <host> is your QRadar EDR Hive backend server hostname (i.e. URL without “https://”), and <port> is the port used for agent registration (typically 4443 for SaaS, 443 for CP4S on-prem).
- Linux
Assuming an agent is already installed and registered, run from a shell:
- sudo /etc/reaqtahive.d/keeperx --verify-check
In case of installation failures due to registration issues, pass the EDR Hive backend details by running from a shell:
- sudo /etc/reaqtahive.d/keeperx --verify-check https://<hive_url>:<hive_port>
Alternatively, using local utilities:
• echo | openssl s_client -connect <host>:<port> -showcerts 2> /dev/null
Where <host> is your QRadar EDR Hive backend server hostname (i.e. URL without “https://”), and <port> is the port used for agent registration (typically 4443 for SaaS instances, 443 for CP4S on-prem).
- Mac OS
Assuming an agent is already installed and registered, run from a shell:
- sudo /Library/IBM\ Security\ ReaQta/keeperi --verify-check
Alternatively, using local utilities:
• echo | openssl s_client -connect <host>:<port> -showcerts 2> /dev/null
Where <host> is your QRadar EDR Hive backend server hostname (i.e. URL without “https://”), and <port> is the port used for agent registration (Typically 4443 for SaaS instances, 443 for CP4S on-prem).
Certificate installation
This section describes how to install certificates into the system certificate store according to the endpoint's OS.
- Windows
The Windows agent uses the Local Machine Certificate Store to verify the server certificate chain.
Assuming you have locally available the complete EDR Hive backend certificate chain in “.pem” format, to install you can use the certutil tool from an administrator command prompt:
• certutil -Enterprise -addstore -f "Root" Certificate-n.pem
- Linux
In Linux, the certificate store is typically one of the following alternatives:
• a directory containing all the certificates in PEM format, with symbolic links following the structure given by c_rehash utility (see: openssl-rehash)
• a single bundle file containing all the trusted certificates
The location of the store and the procedure to install certificates depend on the actual Linux distribution. To support different configurations, the agent is able to locate the actual directory/file at runtime. The certificate store in use is logged at agent startup.
System Certificate Store
The following list documents the System Certificate Store locations supported by the Linux agent.
Files (certificate bundle files expected):
• /etc/ssl/certs/ca-certificates.crt (Ubuntu, Debian, and derivatives)
• /etc/pki/tls/certs/ca-bundle.crt (Red Hat, CentOS, Fedora, and derivatives)
• /etc/ssl/ca-bundle.pem (SUSE, OpenSUSE)
• /usr/local/share/ca-certificates/ca-bundle.crt (User-installed bundle)
• /etc/pki/tls/cacert.pem (Alternative path on Red Hat-based systems)
Directories (c_rehash-compatible symlink structure expected):
• /etc/ssl/certs (Ubuntu, Debian, derivatives, and most distributions)
• /etc/pki/tls/certs (Red Hat, CentOS, Fedora, and derivatives)
• /usr/local/share/ca-certificates (User-installed certificates on Ubuntu, Debian, and derivatives)
• /usr/share/ca-certificates (System CA certificates on Ubuntu, Debian, and derivatives)
To install the required certificates please follow appropriate instructions provided by your Linux distribution and your organization procedures. Find following some reference procedures validated by the EDR team. It is assumed you have locally available the whole EDR Hive backend certificates chain in “.crt” format.
In case of Debian-based machines (Debian 8, 9, 10, 11, 12, Ubuntu 16, 20, 22, 24), install the certificates using the following commands:
• sudo cp <Hive EDR Backend Certificates>.crt /usr/local/share/ca-certificates # copy required certificates in certificate store directory
• sudo update-ca-certificates
In case of Red-hat based machines (Amazon Linux 2, CentOS 6, 7, 8, CentOS Stream 8, 9, Oracle Linux 7, 8, 9, Rocky Linux 8, 9, Red Hat Enterprise Linux 6, 7, 8, 9):
• sudo cp <Hive EDR Backend Certificates>.crt /etc/pki/ca-trust/source/anchors/ # copy required certificates in certificate store directory
• sudo update-ca-trust enable
• sudo update-ca-trust extract
In case of SUSE based machines (OpenSUSE 15, SUSE 12, 15):
• sudo cp <Hive EDR Backend Certificates>.crt /etc/pki/trust/anchors/ # copy required certificates in certificate store directory
• sudo update-ca-certificates
- Mac OS
Manual Certificate Deployment
Assuming you have locally available the whole EDR Hive backend certificates chain in “.pem” format.
• Go to the Keychain Access app on your Mac.
• Select the System keychain.
• Drag the certificates files onto the Keychain Access app.
• If you’re asked to provide a name and password, type the name and password for an administrator user on this computer.
• Explicitly grant trust for the certificates just installed by double-clicking on each of them
• Next to Trust, click > to display the trust policies for the certificate.
• Set the certificate as “Always Trust”
Certificate Deployment via MDM
Configure MDM policy with the "Certificate" Payload to deploy the root certificate.
Once certificate payload is pushed to the device, the macOS endpoint automatically grants trust to the certificate for all relevant services (e.g. SSL/TLS) based on the profile's configuration.
Please check with the MDM vendor for more details for CA & intermediate certificate chain deployment to devices.
Certificate removal
This section describes how to remove certificates previously installed in the system certificate store, according to the endpoint's OS..
- Windows
To uninstall certificates from the system certificate store in Windows, you can use the certutil tool from an administrator command prompt:To check the currently installed certificates and find the right root certificate::
• certutil –enterprise –store Root
To remove certificates from the Trusted Root Certification Authorities:
• certutil –Enterprise -delstore "Root" "<cert subject CN>"
- Linux
In case of Debian-based machines (Debian 8, 9, 10, 11, 12, Ubuntu 16, 20, 22, 24) remove the certificates using the following commands:
• sudo rm /usr/local/share/ca-certificates/<Hive EDR Backend Certificates>.crt # remove certificates in certificate store directory
• sudo update-ca-certificates –f
In case of Red-hat based machines (Amazon Linux 2, CentOS 6, 7, 8, CentOS Stream 8, 9, Oracle Linux 7, 8, 9, Rocky Linux 8, 9, Red Hat Enterprise Linux 6, 7, 8, 9):
• sudo rm /etc/pki/ca-trust/source/anchors/<Hive EDR Backend Certificates>.crt # remove certificates in certificate store directory
• sudo update-ca-trust enable
• sudo update-ca-trust extract
In case of SUSE based machines (OpenSUSE 15, SUSE 12, 15):
• sudo rm /etc/pki/trust/anchors/ <Hive EDR Backend Certificates>.crt # remove certificates in certificate store directory
• sudo update-ca-certificates -f - Mac OS
Certificate Deployed manually
• Go to the Keychain Access app on your Mac.
• Find the Certificates by selecting System (System Keychain) and use the search bar to find the certificate by name.
• Right-click the certificate and choose Delete. Confirm the deletion by entering your administrator password, if prompted.
• Optionally by recommended, restart the endpoint to ensures any cached certificate settings are cleared
Certificate deployed via MDM
MDM (Mobile Device Management) are typically managed and controlled by the MDM profile. At high level you are expected to:
• Remove the CA Root & intermediate certificates from the MDM policy. Identify the policy applied to device and remove the configured trust certificates from the MDM policy using the MDM solution of your enterprise which is managing the macOS endpoint
• Re-distribute the policy to enforce the removal of certificates from the device.
*For additional details of root and intermediate certificates removal, contact your MDM solution vendor for deployed trust certificates removal from device.
Certificate verification enablement
This section describes how to enable certificate verification based on your endpoint's OS. By default, certificate verification is expected to be disabled in the following cases:
- By default, on updated agents installed from versions prior to:
- Windows v3.12.5
- Linux v0.91.0
- MacOS v1.2.0
- On agent installed using the --no-verify flag
- Windows
Make sure the connection with the currently configured EDR Hive backend can be verified, see Certificate Check section.
Assuming the Windows Agent protected uninstall is disabled, run the following command from an administrator command prompt:
• C:\Program Files\ReaQta\keeper.exe --enforce-verify
• sc.exe stop keeper
• sc.exe start keeper - Linux
Please make sure the connection with the currently configured EDR Hive backend can be verified, see Certificate Check section.
Issue the following commands from a shell:
• sudo systemctl stop keeperx
• sudo /etc/reaqtahive.d/keeperx --enforce-verify
• sudo systemctl start keeperx
When running on CentOS 6, use instead:
• sudo service stop keeperx
• sudo /etc/reaqtahive.d/keeperx --enforce-verify
• sudo service start keeperx - Mac OS
Make sure the connection with the currently configured EDR Hive backend can be verified, see Certificate Check section.
Issue the following commands from a shell:
• sudo /bin/launchctl unload /Library/LaunchDaemons/com.ibm.security.reaqta.plist
• sudo /Library/IBM\ Security\ ReaQta/keeperi --enforce-verify
• sudo /bin/launchctl load /Library/LaunchDaemons/com.ibm.security.reaqta.plist
Installation with disabled verification
In case of verification issues during installation, you can install the agent with certificate verification completely disabled using a configuration option. Below are instructions based on your endpoint's OS:
- Windows
During the initial deployment of the EDR agent via the MSI installed, make sure to pass the “--no-verify” option as part of the EDR Hive details parameters
- Linux
During the initial deployment of the EDR agent, when installing the Linux packages, make sure to pass the “--no-verify” option as part of the EDR Hive details parameters.
Example for Debian-based endpoints:
• sudo RQTPARAMS="https://<URL> --no-verify" dpkg -i <installer>.deb
Example for RPM-based endpoints:
• sudo RQTPARAMS="https://<URL> --no-verify" rpm -i <installer>.rpm - Mac OS
During the initial deployment of the EDR agent via the installation wizard, make sure to pass the “--no-verify” option as part of the EDR Hive details parameters.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
08 April 2025
UID
ibm17214666