1. Launch an SSH client, such as PuTTY.
2. Login to the Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

3. To open the JKS keystore holding the key pair an administrator must obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password.
4. Check the Alias for the key pair.
5. Export only the key pair to a new JKS keystore.
6. Convert the JKS keystore to PKCS#12 format generating a PFX file.
7. Obtain a copy of the PFX file from the Authentication Manager instance using a secure FTP client, such as FileZilla or WinSCP. 
8. Close the SSH session.

Perform the tasks at the command line where SSH has been enabled via the Operations Console:

1. Login to the Operations Console and navigate to Administration > Operating System Access.
2. Check the option to Enable SSH.
3. Click Save.

NOTE: The password for the rsaadmin account is created during the deployment of the Authentication Manager instance and is unknown to RSA Customer Support.

• The keytool is used to perform the tasks with the JKS keystores and keytool is located in /opt/rsa/am/appserver/jdk/bin.
• The JKS keystores are located in /opt/rsa/am/server/security.
• The rsautil is located in /opt/rsa/am/utils.

Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password

1. Navigate to the utils folder

2. Obtain the required passwords (signing keys) for unlocking the JKS keystores

Check the Alias for the key pair

1. An administrator can use the Operations Console to access Deployment Configuration > Certificates > Virtual Host Certificate Management to check the Alias of the key pair entry.  For example:

2. An administrator can check the contents of the required JKS keystore at the command line.
   
   1. Navigate to /opt/rsa/am/server/security:

2. Display the contents of the JKS keystore (vh-inactive.jks) with the command ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks.  Note that the SSL Server Identity Certificate Keystore File Password is required to unlock the JKS keystore.  For example:

Export only the key pair to a new JKS container using the Alias

1. To export the key pair (in this example called selfservice) into a new JKS keystore (created in /tmp) use the command ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice  -destkeystore  /tmp/export.jks.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice -destkeystore /tmp/test.jks
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
[Storing /tmp/test.jks]
rsaadmin@app81p:/opt/rsa/am/server/security>

Convert the JKS keystore to PKCS#12 format generating a PFX file

1. To convert the new JKS keystore into a PFX file use the following command: ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
Entry for alias selfservice successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing /tmp/keypair.pfx]
rsaadmin@app81p:/opt/rsa/am/server/security>

• IMPORTANT:  The destination password is the SSL Server Identity Certificate Private Key Password 
• The source keystore password was set by the administrator when creating the new JKS keystore in /tmp.
• The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.

The PFX file is protected with a password and the key pair in the PFX file is also protected by a signing key/password. It is important that these passwords match else it will cause a problem when using the PFX file with another utility (e. g., OpenSSL) or importing the PFX file into a web browser.

For example, the following is a Certificate Import Wizard error for Microsoft Internet Explorer:
 

Older Windows platforms may report the following:
 

This solution does not work in Authentication Manager 8.2. This article will be updated at at later date.

• Do not leave files containing key pairs exposed on a file server or remote share.  
• Ensure the appropriate protection is given that meets your company, organization or facilities security requirements and/or policies.

IMPORTANT: Should an administrator use openSSL to convert the PFX file to a PEM formatted file, then the password used to protect the PFX file must match the SSL Server Identity Certificate Private Key Password.  Where the PFX password does not match the SSL Server Identity Certificate Private Key Password then this will generate an error.

Error outputting keys and certificates
140190678206120:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140190678206120:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140190678206120:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
rsaadmin@app81p:/opt/rsa/am/server/security>