000032627 - How to export Authentication Manager 8.1 SP1 Web Tier Virtual Host Private Key to .PFX file

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032627
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 8.1.0 SP1
Platform: Linux
Platform (Other): Web Tier Virtual Host
 
Issue

After creating a .csr file AM 8.1 SP1 operations console under Deployment Configuration | Certificates | Virtual Host Certificate Management, customer needed to know where to find the .key (private key) on the SecurID appliance in order to build a .pfx file for their F5 load balancer
KB 000030270 has some sample syntax but focuses on creating the CSR, no details or specifics on exporting the private Key

Tasks

1. SSH to the Primary AM appliance with PuTTy, logon with the Operating System Account, typically called rsaadmin.
2. Obtain both the SSL Server Identity Cert Keystore File Password 
      and the SSL Server Identity Certificate Private Key Password
3. Verify the Alias for your private key
4. export the private key to a .pfx file 
5. copy or move .pfx file to /tmp for retrieval with WinSCP

Resolution

The keytool is located in      /opt/rsa/am/appserver/jdk/bin
The .jks keystores are located in        /opt/rsa/am/server/security
And the RSA Utility is located in     /opt/rsa/am/utils
2. Get the SSL Server Identity Cert Keystore File Password – you need Operations Console OCAdmin credentials to do this
               


cd /opt/rsa/am/utils
./rsautil manage-secrets -a list


 CertKeystorePasswords
You have to highlight the whole password to copy and paste, and delete the spaces, so you get this
                MA8eMBMiDSWz6ApxEDLC2oeKWBhtZh
Obviously your file password will be different.  
Note: you will also need the SSL Server Identity Certificate Private Key Password when we export the key.
3. Verify the Alias for your private key
Next goto the security directory so you can access the Virtual Host keystores, which have the Virtual Host Key – seen in the Operations Console.



OC VHost Certs
                 


cd  /opt/rsa/am/server/security

 


This directory has two Virtual Host Keystores, one called vh-identity.jks which has the active Key/Cert, and vh-inactive.jks, which has the inactive, pending Private Key for the CSR that was Generated, but the response has not been imported yet in this example.  Assuming you have already imported your Response, use the vh-identity.jks, here is the command to list.  I use the relative path to keytool.
             


../../appserver/jdk/bin/keytool -list -keystore ./vh-identity.jks


 keytool vh-identity.jks
You can see the two active Keys, the Self-signed Root CA from RSA, called rsa-am-ca, and the virtualhost-id-key.
The Pending CSR key called jumpingjon in this example is in the vh-inactive.jks



 keytool vh-inactive.jks
Note: if you add the -v switch after -list, for verbose, you will have all the details about the key including SN and valid dates in order to verify it is the correct active private key.
4. Export the private key to a .pfx file 
Now we have the baseline syntax to follow the KB 000030270 on creating the CSR, where it said 

 


#3 export the private key
   keytool.exe -v -importkeystore -srckeystore <path>/keystore.jks -srcalias    rsawebtiervh.corp.comany.com -destkeystore
 <path>/rsawebtiervh.corp.comany.com.jks
  Or 
   #7 create pfx from private key and public ssl certificate
   keytool -importkeystore -srckeystore <path>/rsawebtiervh.corp.comany.com.jks -srcstoretype JKS -destkeystore
<path>/rsawebtiervh.corp.comany.com.pfx -deststoretype PKCS12

 


So our syntax should be:
               


../../appserver/jdk/bin/keytool -importkeystore -srckeystore ./vh-identity.jks -srcstoretype JKS -alias virtualhost-id-key -destkeystore ./vhost.pfx -deststoretype PKCS12

 


keytool destkeystore PFX 



1st two passwords are for the destination keystore, the vhost.pfx file, so note them as you will need when importing this file into your F5 or Load Balancer.  The 3rd password is the SSL Server Identity Cert Keystore File Password from step 2 aove (MA8eMBMiDSWz6ApxEDLC2oeKWBhtZh on this example, different for you)
And 4th password is SSL Server Identity Certificate Private Key Password also from step 2 above (kWmiWm3VqfUdwN7KuS0cJlYlOxvLHa on this example, different for you).  
Note* we recommend making the first two passwords for the .pfx file be the same as the 4th password, SSL Server Identity Certificate Private Key Password, see explanation in Notes section
I also tried without the alias switch, and both keys appear to get exported.
  


               
../../appserver/jdk/bin/keytool -importkeystore -srckeystore ./vh-identity.jks -srcstoretype JKS -destkeystore ./vhost_all.pfx -deststoretype PKCS12
NotesPrivate keys need to be handled with care, and handled securely.  Do not leave this file exposed on a File Server, and ensure protection appropriate to your company, organization or facilities Security needs and policies.
Note: we recommended making the first two passwords for the .pfx file be the same as the 4th password, SSL Server Identity Certificate Private Key Password because we saw a problem when a customer tried to convert this .pfx file to a .pem file for import into a Load Balancer.  When the file and key passwords were different, they got the following error:
C:\OpenSSL-Win32\bin>openssl pkcs12 -in c:\Temp\pfx\ssp1.pfx -out C:\Temp\pfx\ssp1.pem -nodes 
Enter Import Password: <file password>
MAC verified OK 
Error outputting keys and certificates 
7736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:529: 
7736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:.\crypto\pkcs12\p12_decr.c:108: 
7736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:139:

Attachments

    Outcomes