000027946 - KB-1474 - SSL - how to create a certificate request for ACM V3.x and ACM 4.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027946
Applies ToAffected Versions: 4.X; 3.6.X


Note that this knowledge base refers to functionality present in ACM 3.6.x and 4.x. The certificate process has changed in ACM 5.x. It is NO longer a part of the ACM UI. In 5.x, Certificates are now managed via a command line utliity. Refer to the ACM 5.x Installation guide for specific details.



A server certificate as used by the Aveksa installation is a file used to digitally validate that the machine you are accessing is the real machine. (for more info see this Wikipedia entry) If you do not use certificate signed by a certificate Authority each access to the application will result in a certificate error. While you may continue the errors can be unsettling or annoying.

What's a CSR?

A Certificate Signing Request (CSR) is a text file provide to a Certification Authority (CA) to request a public key certificate for an entity (the Aveksa application server). The CA can be an internal organization or a public authority like VeriSign or GoDaddy

What does a CSR contain?

The completed CSR consists of two parts:

  • The Certification Request Information Part
  • The Signature Part

The first part is the Certification Request Information part, has four fields and is the part of the CSR signed by the entity's private key. The second part is the Signature which is made up of two fields.


  • Version version of the standard supported.
  • Distinguished Name (DN) is the distinguished name of the entity the certificate is being requested for.
  • Public Key contains the entity's public key.
  • Attributes are a collection of attributes that may be included with the request.
  • Signature Algorithm identifies the algorithm used to sign the CSR
  • Digital Signature is the signature created using the entity's private key

Process for generating a CSR

To generate the CSR Aveksa does all the hard work behind the scenes you only need to specify the Distinguished Name (DN) of the Aveksa server and the appropriate key size. Then in the UI as a SystemAdmin or AveksaAdmin perform the following steps


1. Click the Admin tab and select System.
2. Click the SSL tab.
3. Click Generate Server Cert button

4. Enter the distinguished name (DN) of the Aveksa serve. The DN must be in X.500 distinguished name format. Do not use spaces (the X.500 spec allows them but our parser doesn't) after the separating character. For example:

Select a key size from Key Size (select 1024 only a sales guy would select 512)
6. Click OK.
The Aveksa system generates a plain text certificate request file. A hypertext link containing the name of the file appears in Cert Request File. Provide this to your CA authority for certificate creation.
Once the CSR is returned as a certificate install it in the system using these steps
1. Click the Admin tab and select System.
2. Click the SSL tab.
3. Click Upload Server Cert.
4. In the Upload Server SSL Certificate dialog box, click Browse to locate directory that contains the certificate file and click OK.
5. Stop and restart the aveksa_server
Note: If you are uploading a certificate obtained from a well-known certificate authority, such as VeriSign, the process is complete. If you are uploading a certificate obtained from an internal certification authority, you must ensure that the root CA certificate and if required intermediate CA certificate is uploaded to the Aveksa server before performing step 5 above.
1. Click the Admin tab and select System.
2. Click the SSL tab.
3. Click the Upload Trusted Cert button
4. In the Upload Trusted SSL Certificate dialog box
A. Select if these certs are for the Agent or Server (most are for the server)
B. Click
Browse to locate directory on your local machine that contains the certificate file
C. Click OK.