000029572 - How to replace the SSL certificate of the DPM Appliance Remote Management Module (RMM) card

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029572
Applies ToRSA Data Protection Manager Hardware Appliance (Intel appliance)
IssueDefault SSL certificate is issued by AMIG and expires soon, or is expired.
New certificate prevent the console from launching, giving the error "KeyUsage does not allow the key encipherment":
Application Error; Name: JViewer; Publisher: American Megatrends, Inc.
KeyUsage does not allow key encipherment
ResolutionThe complete guide from Intel is available at http://download.intel.com/support/motherboards/server/sb/intel_rmm4_ibwc_userguide_r2_72.pdf
To replace the SSL certificate you will need the following files:
  • The new private key file, in PEM format (Base64), with a .pem extension, not password-protected. "Enhanced Key Usage" must have:
    • Digital Signature
    • Key Encipherment
  • The newly signed SSL certificate, in PEM format (Base64), with a .pem extension
  • Optional: A file containing all certificate authorities (CA) required to complete the CA certificate chain, up to the Root CA
If you need to configure the RMM card so it sends the full CA certificate chain during the TLS handshake, follow those steps:
  1. Create a new file called "complete-certificate-chain.pem"
  2. Copy / paste the content of the new web server certificate in this new file
  3. Append the content of all CA certificates into this new file, starting from the issuing CA certificate down to the Root CA certificate
  4. Log in to the RMM admin console. 
  5. Go to Configuration - SSL
  6. Click Browse to select your newly created file "complete-certificate-chain.pem"
  7. Click Upload
  8. Once uploaded, you are now prompted to upload the private key file.
  9. Click Browse to select your private key file
  10. Click Upload
  11. Click Accept to restart the RMM's web server.
  12. Close your browser and log back in
If you need to configure the RMM card so it sends only the web server certificate during the TLS handshake, follow those steps:
  1. Log in to the RMM admin console. 
  2. Go to Configuration - SSL
  3. Click Browse to select your new SSL certificate file
  4. Click Upload
  5. Once uploaded, you are now prompted to upload the private key file.
  6. Click Browse to select your private key file
  7. Click Upload
  8. Click Accept to restart the RMM's web server.
  9. Close your browser and log back in

Attachments

    Outcomes