|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
|Issue||A customer reported that after rebuilding their RSA SecurID appliances and patching to Authentication Manager 8.1 SP1 P3 that:|
|Cause||From JIRA defect AM-29318 (RSA Authentication Manager 8.1 SP1 does not check if self-signed Certificate has a Negative SN):|
An RSA Authentication Manager 8.1 SP1 deployment generates self-signed certificates, e.g. RSAAMTrustedRootSSLCA.crt, that may show with a positive SN in the Microsoft Cert utility and when imported into the Authentication Manager 8.1 SP1 Operations Console, but the same certificate will show with a negative SN if imported into the SSL site http://ssltools.com/certificate_decode or in openssl:
rsaadmin@g:/opt/rsa/am/utils> openssl x509 -in RSAAMTrustedRootSSLCA.crt -serial
A remote PostgreSQL DB application called DBVisualiser, will come up as having a negative SN. This was not a problem in Authentication Manager 8.0, only after upgrade to Authentication Manager 8.1 SP1.
|Resolution||RSA Engineering currently considers this FAD (Functions as Designed).|
See section 18.104.22.168 on serial numbers in RFC-5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i. e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer.
Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer than 20 octets.
Note: Non-conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates.
|Workaround||This customer configured their PostgreSQL scripting tool, PostgreSQL DB application called DBVisualiser, to accept a certificate with a negative serial number|
A workaround could be to replace the console certificates with those from a CA of their choice.
Engineering may address this in Authentication Manager 8.2