000027752 - How to Change or replace Authentication Manager 7.1 default SSL identity certificates

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027752
Applies ToAuthentication Manager 7.1 Windows or Linux RHEL
RSA Appliance 3.0.4 or later
rsautil manage-ssl-certificate --config-server --alias

rsautil manage-ssl-certificate --genkey


 

Background:


This two phase process uses two files, phase 1 (steps 1-4) requests a Certificate, output is a request file called cs-appliance3-03req.txt in this example


This file is delivered to a Certificate Signing Authority, either someone Global like Verisign, or your own company?fs Certificate Server group


Phase 2 of this Process (steps 5-7) begins when The CA root signing authority should deliver at least 2 response files to you,


     1. The Root Certificate from the CA that signed your Cert, which we have called root.txt in this example. 


     2. The Certificate for your Server or Appliance, which we have called caresponse.txt in this example


     3. Optionally, you may need intermediary CA certs, if there is a chain of trust from the Root CA down to your Server Cert.


This means that root.txt would be a file delivered back to you from the Certificate Authority (either Global like Thawte or VeriSign, or local like your own Microsoft Certificate Server).  Anybody can generate a Cert, the real value of a Certificate lies in the authority of the Signing CA.  In most companies a self signed Certificate from your own Microsoft Certificate Server (or RSA KEON Certificate Server) is probably valid enough within your company to identify people or servers.  When dealing with secure email from the Department of Defense, the same process is applied, but in this case VeriSign is chartered by the DoD to sign valid certificate requests from DoD personnel and contractors.  And Identity verification is a tad bit stricter?c


Customer Support Training module, CSTM videos on Cert replacement and other topics, copy and paste this link into your browser URL
https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9488
 
IssueHow to Change or replace Authentication Manager 7.1 default certs
How do I change Authentication Manager 7.1 certs to my own certs?
Change certs in Authentication Manager 7.1
Command failed due to the following error: Invalid server name(s) specified.

rsautil manage-ssl-certificate --config-server --alias rsa1 --keypass [I'm using the Identity Certificate Key Store Password] --server-name rsa1.rsa.com
Please enter master-password.: **************
Key [com.rsa.ssl.id.store.password] is not defined
Please enter storepass.: **********
Command failed due to the following error:
Invalid server name(s) specified.


 

Key [com.rsa.ssl.id.store.password] is not defined
Please enter storepass.:
The above entry just hangs with any value entered into the storepass:


There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Continue to this website (not recommended).

Public Keys in reply and keystore don't match - During Step 6 import, This means either your alias is spelled wrong, or you ran genkey step 3 again after you sent your Cert Request CSR to the CA
expired Certificate typically fail with <Warning> <Security> <BEA-090479> <Certificate chain received from <ServerFQDN> - <Server IP address> failed date validity checks.> 

Unable to connect to the server: remoteaccessadmin.wsdot.loc:7006 

Command failed. Exit code: 0
 

 
Resolution

(this is from an updated Rob Duggan cheat sheet)


 


Variables:


RSA Server/Appliance name is cs-appliance3-03.na.rsa.net


Master password = <MasterPassword>


keypass that I chose = <CreatedKeyPass>                     (This is the private key password for Key you generate in Step 3)


Alias I chose for my appliance certificate = appliancecert


Alias I chose for my root certificate = cs-support-root

 


Step 1:


./rsautil manage-secrets --action get com.rsa.identity.store


Prompted for master password: <MasterPassword>


 com.rsa.identity.store: qUdbSlsh48

 


Step 2:


./rsautil manage-secrets --action get com.rsa.root.store


com.rsa.root.store: Iz47CyelaR


 


Step 3:


./rsautil manage-ssl-certificate --genkey --alias appliancecert --dname "cn=cs-appliance3-03.na.rsa.net,OU=Support,OU=na,O=rsa,O=net,C=US" --keystore ../server/security/cs-appliance3-03.jks


Please enter master password: <MasterPassword>


Key [com.rsa.ssl.id.store.password] is not defined  [Note: this means you did not include it on the command line, from Step 1]


Please enter Storepass: qUdbSlsh48                  (This is the password for com.rsa.identity.store that you retrieve in Step 1)


Promted for keypass: <CreatedKeyPass>


 


Step 4:


./rsautil manage-ssl-certificate --certreq --alias appliancecert --keystore ../server/security/cs-appliance3-03.jks --csr-file /tmp/cs-appliance3-03req.txt


Prompted for master password: <MasterPassword>


Key [com.rsa.ssl.id.store.password] is not defined  [Note: this means you did not include it on the command line, from Step 1]


Please enter Storepass: qUdbSlsh48


Prompted for keystore password: qUdbSlsh48


 


 


 


Send cs-appliance3-03req.txt to your CA.  You must request a SHA-1 Cerftificate only.  Inform the CA that it is best to NOT include any extended key usage fields marked Critical, as this can affect server restart.  When response comes back, continue to Step 5.


 


Step 5:


./rsautil manage-ssl-certificate --import --alias cs-support-root --cert-file /tmp/root.txt --keystore ../server/security/cs-appliance3-03.jks


Prompted for master password: <MasterPassword>


Prompted for keystore password: qUdbSlsh48


 


./rsautil manage-ssl-certificate --import --trustcacerts --alias cs-support-root --cert-file /tmp/root.txt --keystore ../server/security/root.jks


Prompted for master password: <MasterPassword>


Prompted for keystore password: Iz47CyelaR


 


./rsautil manage-ssl-certificate --import --trustcacerts --alias cs-support-root --cert-file /tmp/root.txt --keystore ../appserver/jdk/jre/lib/security/cacerts


Prompted for master password: <MasterPassword>


Prompted for keystore password: changeit            <changeit is literal, it is a standard password on cacerts file>


 


Step 6:


./rsautil manage-ssl-certificate --import --alias appliancecert --cert-file /tmp/caresponse.txt --keystore ../server/security/cs-appliance3-03.jks


Prompted for master password: <MasterPassword>


Prompted for keystore password: qUdbSlsh48


 


Step 7:


./rsautil manage-ssl-certificate --config-server --alias appliancecert --keystore ../server/security/cs-appliance3-03.jks --server-name AdminServer


Prompted for master password: <MasterPassword>


Prompted for keystore password: qUdbSlsh48


 


./rsautil manage-ssl-certificate --config-server --alias appliancecert --keystore ../server/security/cs-appliance3-03.jks --server-name proxy_server


Prompted for master password: <MasterPassword>


Prompted for keystore password: qUdbSlsh48


 


./rsautil manage-ssl-certificate --config-server --alias appliancecert --keystore ../server/security/cs-appliance3-03.jks --server-name cs-appliance3-03_server


Prompted for master password: <MasterPassword>


Prompted for keystore password: qUdbSlsh48


 


*NOTE*  Step 5 needs to be repeated on every replica appliance, for the root and any subordinate signers


 


Step 1: This queries the password for cs-appliance3-03.jks file under server/security, replace cs-appliance3-03 with whatever the shortname is for your 3.0.4 Appliance or AM 7.1 Server.


Step 2: This queries the password for the root.jks file under server/security


Step 3: This generates a private / public keypair.  Prior to SP3 this was a 1024bit key, in SP3 and higher it is a 2048bit key size.


Step 4: This creates a certificate request (PKCS10) that you send to your certificate authority to have it signed.


Step 5: This imports the root certificate into the cs-appliance3-03.jks, the root.jks, and the cacerts file.  This step needs to be repeated if an intermediate root certificate is what signed the appliance certificate.


Step 6: This imports the signed certificate response that you receive from the CA (PKCS7).


Step 7: This adds the appliancecert alias and encrypted keypass into the config.xml for the AdminServer, proxy_server, and cs-appliance3-03_server instances.


To revert to your original installation certificate follow KB article a45048

Notes

Backup: Even uglier


http://blog.ejbca.org/2008/02/converting-keystores-between-jks-and.html


JKS ?? P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
P12 ?? JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks


Ballpark:


You would delete all entries in the JKS except for the server certificate and the trusted root & intermediate CAs if they have any.


Then export the JKS to a pkcs12


 


Then import the PKCS12 into your new server, that has the same hostname.


You may need to run the command rsautil manage-secrets -a set, to set the custom ssl private key passphrase (which is the password for the private key, created at the genkey command)


Run the commands for config-server in our certificate replacement documentation.


See "Authentication Manager Console certificate error in Internet Explorer" to resolve the RSA Default Certificate Error in IE here
Legacy Article IDa44880

Attachments

    Outcomes