Troubleshooting
Problem
Administrators who install custom SSL certificates on the QRadar Console can use this article to troubleshoot and verify common certificate issues.
Symptom
The Custom SSL Certificate not verifying correctly can cause user interface outages, communication issues between appliances, or issues where applications cannot communicate by using the API.
Diagnosing The Problem
Log in to the QRadar Console and at the SSH command-line run:
openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert
Resolving The Problem
Reverting custom SSL certifications to default QRadar self-signed certificates
If you are having issues with a custom SSL certificate, you can revert to the Default QRadar Self-Signed certificate to use the steps provided to resolve your issues.
Note: As an option, you can revert to the default QRadar self-signed certificate as you investigate the issue. After the problem is resolved, you can then revert to the Customer SSL Certificates. For more information, see Revert to using a self-signed certificate.
Note: As an option, you can revert to the default QRadar self-signed certificate as you investigate the issue. After the problem is resolved, you can then revert to the Customer SSL Certificates. For more information, see Revert to using a self-signed certificate.
If you choose not to revert to the default QRadar self-signed certificate, continue with these steps in the technical note.
Read SSL certificate
From the SSH command line, type:
openssl x509 -in /etc/httpd/conf/certs/cert.cert -text -noout
Note: All the certificate information is displayed.Unable to Get Issuer Certificate
- From the SSH command-line run:
Output if there is a missing member of the Chain:openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert/etc/httpd/conf/certs/cert.cert /etc/httpd/conf/certs/cert.cert: DC = <info>, DC = <info>, CN = <Subject of the previous member of the certificate chain>error 20 at 1 depth lookup:unable to get issuer certificate - Review the directory by running the command:
If the CA's root certificate or intermediate certificate (if applicable) is not present, then copy the CA's root certificate and intermediate certificate (if applicable) provided by your certificate authority to the /etc/pki/ca-trust/source/anchors directory on the Console. If there is an App host in the environment, copy the files to the App host also.ls -l /etc/pki/ca-trust/source/anchors/
Note: The certificate must have a.cert, .crt, .pem, or .derfile extension.
- (Optional). If you are using an internal CA, you must update the CA trust by running the command with the SSH command line:
update-ca-trustFor more information, see Using certificates that are signed by an internal certificate authority.
- If the CA's root certificate and intermediate certificate (if applicable) is not present and you do not have these files, you must contact your certificate authority to provide the files and upload them to the /etc/pki/ca-trust/source/anchors directory on the Console and the App Host appliance, if you use an App Host in your deployment.
- Confirm that the certificate is now verifying correctly by running the command:
The output of the command when the certificate verifies correctly:openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert/etc/httpd/conf/certs/cert.cert: OK - After the certificate is verified, restart the docker service on the Console or the App Host appliance:
systemctl restart docker - Extract the certificate
- To extract a PCKS7 certificate:
- Navigate to the folder where the pkcs7 resides.
- To extract the certificate, run the command:
openssl pkcs7 -in certificate.p7b -inform PEM -print_certs -outform PEM -out /etc/pki/ca-trust/source/anchors/chain_certificate.pem - Copy the certificate to a safe location.
- To Extract a PCKS12 certificate:
- Navigate to the folder where the .pfx certificate file resides.
- To extract the certificate, run the command:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out /etc/pki/ca-trust/source/anchors/certificate.crt - Copy the certificate to a safe location.
- To extract a PCKS7 certificate:
Invalid Subject within SSL certificate
- Run the command:
Output if there is an invalid subject within the SSL certificate:/opt/qradar/support/recon psUnable to communicate with API. Received error: An API error occurred. The API returned the error: Get https://<Console FQDN>/api/gui_app_framework/applications: x509: certificate is valid for <Subject within SSL certificate and alternate names (if applicable)> not <Console FQDN> - Confirm the Console FQDN:
The output displays the subject that verifies the certificate:openssl x509 -in /etc/httpd/conf/certs/cert.cert -text -noout | grep -i cn | grep SubjectSubject: CN=<FQDN the certificate verifies> - Confirm the FQDN of the Console:
Or/opt/qradar/bin/myver -vh
grep -i fqdn /opt/qradar/conf/nva.conf
Output showing the Console FQDN:CONSOLE_FQDN=<Console FQDN> - Resolving FQDN and Subject inconsistency.
- Contact your certificate authority (Recommended)
We recommend that you contact your certificate authority and request a new certificate with the "Subject: CN" that corresponds to the Console FQDN. You must then replace the current invalid SSL certificate with the newly acquired correct SSL certificate. For more information, see Installing a new SSL certificate.
- Create a Multi-Domain (SAN) SSL certificate. If you are required to access the Console from an alternate Domain, then you can create a SAN SSL certificate.
Note: Multi-Domain SSL certificates are only applicable for Public Domains if you are using a public certificate authority, a Public certificate authority cannot sign a nonpublic Domain. For example, .local
For more information, see Creating a multi-domain (SAN) SSL certificate signing request.
- Change console FQDN to correspond to the SSL certificate.
Note: Changing the FQDN requires running the qchange_netsetup at the remote console command line. You need to remove all Managed Hosts from the deployment. Before the administrator runs the qchange_netsetup command, they also have to uninstall High Availability from the Console, or any Managed Hosts. For more information, see Changing the network settings in an all-in-one system.
- Contact your certificate authority (Recommended)
Expired Certificate
- From the SSH command-line run:
Example output,openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert/etc/httpd/conf/certs/cert.cert: C = <info>, O = <info>, CN = <Subject of the previous member of the chain> error 10 at 0 depth lookup:certificate has expired - To confirm the expiration of the certificate, type
Example output,openssl x509 -in /etc/httpd/conf/certs/cert.cert -text -noout | grep -A2 ValidityValidity Not Before: <Certificate issue date> Not After: <Certificate expiration date>
Note: If you installed an Intermediate Certificate, you need to confirm the expiration for the intermediate file too.
- Resolution for an expired certificate.
You need to contact your certificate authority and request a new certificate bundle. Then, install the new certificate chain. For more information, see Installing a new SSL certificate.
- To test the validity of the certificates, use the command:
/opt/qradar/ca/bin/verify-qradar-ca.sh --testVerify root CA has been created properly ... YES Verify intermediate CA has been created properly ... YES Verify appropriate CA and CRL is presented for download ... YES Verify the CA setup state is completed ... YES Final Result: 4 tests with 4 success and 0 failed
Fixing the certificate security browser warning
To fix a browser warning that the QRadar® security certificate is not valid or not secure, you can download a certificate from the issuing URL and import it into your browser.
Procedure:
- Download the certificate authority (CA) content from the QRadar server:
- Download the root CA
http://<QRadarConsoleName_OR_hostIP>:9381/root-qradar-ca_ca.crt - Download the intermediate CA
http://<QRadarConsoleName_OR_hostIP>:9381/intermediate-qradar-ca_ca.crt
Note: insert the correct server name, or IP, for the
<QRadarConsoleName_OR_hostIP>. - Download the root CA
- Copy the CA files to your local computer.
- Log out of QRadar.
- Import the CA into your browser by using the appropriate method for your browser:
Firefox
Chrome
Edge - Close and then restart the browser.
- Log in to QRadar.
Result
The browser no longer displays the security warning. When you click the lock icon next to URL, it says connection secure.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
29 June 2023
UID
ibm16221256