000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Sep 4, 2017
Version 5Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000032627
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 8.0, 8.1 
Platform (Other): Web Tier Virtual Host
 
IssueAn administrator needs to locate the key pair from the Authentication Manager instance in order to generate a PKCS#12 (.pfx) file for a load balancer (e. g., an F5). The administrator has already generated the certificate signing request (CSR), had a Certificate Authority (CA) sign the CSR and imported the matching certificate via the Operations Console under Deployment ConfigurationCertificatesVirtual Host Certificate Management.
TasksTasks to be performed by an administrator are as follows:
  1. Open an SSH session to the Authentication Manager instance with an SSH client such as PuTTY.
  2. Logon to the operating system using the rsaadmin account.
  3. Enter the password for rsaadmin when prompted.
  4. To open the JKS keystore holding the key pair an administrator must obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password.
  5. Check the Alias for the key pair.
  6. Export only the key pair to a new JKS keystore.
  7. Convert the JKS keystore to PKCS#12 format generating a PFX file.
  8. Obtain a copy of the PFX file from the Authentication Manager instance using a secure FTP client, such as FileZilla or WinSCP. 
  9. Close the SSH session.
Resolution

Perform the tasks at the command line where SSH has been enabled via the Operations Console:


  1. Navigiate to Administration > Operating System Access.
  2. Check the option to Enable SSH.
  3. Click Save.

NOTE: The password for the rsaadmin account is created during the deployment of the Authentication Manager instance and is unknown to RSA Customer Support.


  • The keytool is used to perform the tasks with the JKS keystores and keytool is located in the /opt/rsa/am/appserver/jdk/bin folder.
  • The JKS keystores are located in the /opt/rsa/am/server/security folders.
  • The rsa utility is located in the /opt/rsa/am/utils folder.

Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password


  1. Navigate to the utils folder

cd /opt/rsa/am/utils


  1. Obtain the required passwords (signing keys) for unlocking the JKS keystores

rsaadmin@app81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter the name of the Operations Console administrator>
Please enter OC Administrator password: <enter the password of the Operations Console administrator>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_9uwbaoze
Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f
SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU
SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw
Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3
Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX
 
The "listkeys" action displays the key names to use when setting the values.
rsaadmin@app81p:/opt/rsa/am/utils>


Check the Alias for the key pair


  1. An administrator can use the Operations Console to access Deployment ConfigurationCertificatesVirtual Host Certificate Management to check the Alias of the key pair entry.  For example:
User-added image

  1. An administrator can check the contents of the required JKS keystore at the command line.
    1. Navigate to /opt/rsa/am/server/security using the command:
cd /opt/rsa/am/server/security

  1. Display the contents of the JKS keystore (vh-inactive.jks) with the command ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks.  Note that the SSL Server Identity Certificate Keystore File Password is required to unlock the JKS keystore.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password:  <enter the SSL Server Identity Certificate Keystore File Password captured above in step 2 for Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password>

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: selfservice
Creation date: Jun 20, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=mark.bell@rsa.com, CN=selfservice.csau.ap.rsa.net, OU=CS, O=RSA, L=Sydney, ST=NSW, C=AU
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 2d00000004979cbf90acd43dd4000000000004
Valid from: Tue Jun 20 09:36:19 EST 2017 until: Thu Jun 20 09:36:19 EST 2019
Certificate fingerprints:
         MD5:  E3:F9:C2:7B:BD:A6:A5:07:CF:CE:DA:50:8F:93:1E:46
         SHA1: 42:ED:F2:41:76:ED:14:FC:1E:D5:E6:00:B9:F9:E0:75:0E:6E:5B:59
         Signature algorithm name: SHA256withRSA
         Version: 3
Certificate[2]:
Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9
Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022
Certificate fingerprints:
         MD5:  2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3
         SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
         Signature algorithm name: SHA256withRSA
         Version: 3

*******************************************
*******************************************

Alias name: selfservice-signing-ca
Creation date: Jun 20, 2017
Entry type: trustedCertEntry
Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9
Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022
Certificate fingerprints:
         MD5:  2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3
         SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
         Signature algorithm name: SHA256withRSA
         Version: 3

*******************************************
*******************************************

Alias name: rsa-am-ca
Creation date: Jun 20, 2017
Entry type: trustedCertEntry
Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: -79217c0c7b67e63bef60e85a0263e555
Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037
Certificate fingerprints:
         MD5:  62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30
         SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************

Alias name: virtualhost-id-key
Creation date: Jun 20, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: SERIALNUMBER=372302feed2e7006d6e382ea9f1621f26fac9ec7c58d46b17085801ff7d1f228, CN=selfservice.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: 3e26c3d9a3556994a90be1cd6f334b09
Valid from: Mon Jun 19 09:40:19 EST 2017 until: Sun Jun 20 09:40:19 EST 2027
Certificate fingerprints:
         MD5:  97:83:19:8C:AD:09:4F:76:5E:F4:B1:DD:16:5E:6A:AF
         SHA1: 43:49:AE:E1:6D:28:49:17:FD:1E:CF:C1:05:58:7E:9B:95:B6:5B:A4
         Signature algorithm name: SHA1withRSA
         Version: 3
Certificate[2]:
Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: -79217c0c7b67e63bef60e85a0263e555
Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037
Certificate fingerprints:
         MD5:  62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30
         SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************

rsaadmin@app81p:/opt/rsa/am/server/security>


 

Export only the key pair to a new JKS container using the Alias


  1. To export the key pair (in this example called selfservice) into a new JKS keystore (created in /tmp) use the command ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice  -destkeystore  /tmp/export.jks.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice -destkeystore /tmp/test.jks
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
[Storing /tmp/test.jks]
rsaadmin@app81p:/opt/rsa/am/server/security>

  • The destination password is provided by the administrator (e. g., password01) for the new JKS keystore.
  • The source keystore password is the SSL Server Identity Certificate Keystore File Password.
  • The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.


Convert the JKS keystore to PKCS#12 format generating a PFX file


  1. To convert the new JKS keystore into a PFX file use the following command: ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
Entry for alias selfservice successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing /tmp/keypair.pfx]
rsaadmin@app81p:/opt/rsa/am/server/security>

  • IMPORTANT:  The destination password is the SSL Server Identity Certificate Private Key Password 
  • The source keystore password was set by the administrator when creating the new JKS keystore in /tmp.
  • The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.
IMPORTANT: The PFX file is protected with a password and the key pair in the PFX file is also protected by a signing key/password. It is important that these passwords match else it will cause a problem when using the PFX file with another utility (e. g., OpenSSL) or importing the PFX file into a web browser.
For example, the following is a Certificate Import Wizard error for Microsoft Internet Explorer:
 

User-added image


Older Windows platforms may report the following:
 

User-added image

NotesNOTE: This solution does not work in Authentication Manager 8.2. This article will be updated at at later date.
Private keys need to be handled with care, and handled securely.  
  • Do not leave files containing key pairs exposed on a file server or remote share.  
  • Ensure the appropriate protection is given that meets your company, organization or facilities security requirements and/or policies.
IMPORTANT: Should an administrator use openSSL to convert the PFX file to a PEM formatted file, then the password used to protect the PFX file must match the SSL Server Identity Certificate Private Key Password.  Where the PFX password does not match the SSL Server Identity Certificate Private Key Password then this will generate an error.  For example:
rsaadmin@app81p:/opt/rsa/am/server/security> openssl pkcs12 -in /tmp/keypair.pfx -out /tmp/keypair.pem -nodes
Enter Import Password: <enter the SSL Server Identity Certificate Private Key Password>
MAC verified OK
Error outputting keys and certificates
140190678206120:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140190678206120:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140190678206120:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
rsaadmin@app81p:/opt/rsa/am/server/security>

Attachments

    Outcomes