000030844 - RSA Authentication Manager 8.1 SP1 self-signed certificate may contain a non-complying negative serial number

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 17, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030844
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
IssueA customer reported that after rebuilding their RSA SecurID appliances and patching to Authentication Manager 8.1 SP1 P3 that:
  • A certificate error displayed when using their PostgreSQL scripts,
  • The RSA appliance had a certificate with a negative serial number.  
  • Their PostgreSQL database scripting tool could not initially import this certificate and then use it to build an SSL connection to Authentication Manager 8.1 SP1.
CauseFrom JIRA defect AM-29318 (RSA Authentication Manager 8.1 SP1 does not check if self-signed Certificate has a Negative SN):


An RSA Authentication Manager 8.1 SP1 deployment generates self-signed certificates, e.g. RSAAMTrustedRootSSLCA.crt, that may show with a positive SN in the Microsoft Cert utility and when imported into the Authentication Manager 8.1 SP1 Operations Console, but the same certificate will show with a negative SN if imported into the SSL site http://ssltools.com/certificate_decode or in openssl:
rsaadmin@g:/opt/rsa/am/utils> openssl x509 -in RSAAMTrustedRootSSLCA.crt -serial 
serial= -3FA515F4FF1261C25E2D8BA1B65BF2D4

A remote PostgreSQL DB application called DBVisualiser, will come up as having a negative SN.  This was not a problem in Authentication Manager 8.0, only after upgrade to Authentication Manager 8.1 SP1.
ResolutionRSA Engineering currently considers this FAD (Functions as Designed).
See section on serial numbers in RFC-5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

The serial number MUST be a positive integer assigned by the CA to each certificate.  It MUST be unique for each certificate issued by a given CA (i. e., the issuer name and serial number identify a unique certificate).  CAs MUST force the serialNumber to be a non-negative integer.
Given the uniqueness requirements above, serial numbers can be expected to contain long integers.  Certificate users MUST be able to handle serialNumber values up to 20 octets.  Conforming CAs MUST NOT use serialNumber values longer than 20 octets.
Note: Non-conforming CAs may issue certificates with serial numbers that are negative or zero.  Certificate users SHOULD be prepared to gracefully handle such certificates.
WorkaroundThis customer configured their PostgreSQL scripting tool, PostgreSQL DB application called DBVisualiser, to accept a certificate with a negative serial number
A workaround could be to replace the console certificates with those from a CA of their choice.
Engineering may address this in Authentication Manager 8.2