Article Content
Article Number | 000030130 |
Applies To | RSA Product Set: Identity Governance & Lifecycle RSA Product/Service Type: Appliances and Software Appliances RSA Version/Condition: 6.8.x, 6.9.x, 7.0.x |
Issue | Newer browsers are throwing the following error when the Subject Alternative Name (SAN) attribute is not present: NET::ERR_CERT_COMMON_NAME_INVALID |
Resolution | For versions 6.8.x and 6.9.x
For version 7.0.x
If your goal is to modify the web server certificate that a user sees when connecting to the Identity Governance & Lifecycle web console, you will need to edit the keystore called aveksa.keystore. After modification, this keystore should contain the web server's private key, its associated signed certificate, and all CA certificates up to the root CA. The following commands assume you will be creating a new keystore file called my.keystore which will later be used to replace the existing aveksa.keystore. The example below utilizes a server hostname of rsa-img.rsa.com, and can be accessed using a hostname alias access.rsa.com or IP 1.1.1.1, as well.
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
cd /home/oracle/keystore
keytool -genkeypair -keysize 2048 -alias server -keyalg RSA -keystore my.keystore -dname "CN=rsa-img.rsa.com" -ext san=dns:rsa-img.rsa.com,dns:rsa-img,dns:access.rsa.com,ip:1.1.1.1
keytool -certreq -alias server -file rsa-img.rsa.com.csr -keystore my.keystore -ext san=dns:rsa-img.rsa.com,dns:rsa-img,dns:access.rsa.com,ip:1.1.1.1
keytool -import -v -trustcacerts -alias root -file root.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore Certificate already exists in system-wide CA keystore under alias <root> Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore
keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore my.keystore
keytool -importcert -v -alias server -file cert.pem -keystore my.keystore
keytool -list -v -keystore my.keystore
cp -fp aveksa.keystore aveksa.keystore.ori
ls -l *.keystore
cp my.keystore aveksa.keystore chown oracle:oinstall aveksa.keystore acm restart
To revert these changes, run the following commands:
|
Notes | The -ext option to specify a Subject Alternative Name (SAN) is not available in keytool for Java 6. This impacts any system running IMG 6.9.x or lower. You can work around this by working with the keystore on a system with Java 7 or 8 (e. g., a Windows desktop) and transferring the completed keystore file to the Identity Governance & Lifecycle server. Note that the Identity Governance & Lifecycle WildFly server references the certificate specifically using the alias name "server". If any alias name other than "server" is used the steps above will complete but the resultant keystore will not be usable by RSA IG&L. |