000016410 - Things that can go wrong during AM 7.1 SSL Certificate replacement

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016410
Applies ToAuthentication Manager 7.1 SP4, AM 7.1 SP4, AM 7.1, Appliance 3.0.4
SSL Certificate Replacement, Cert Replacement, update RSA self-signed certificates, update certs

Customer Support Training module, CSTM videos on Cert replacement and other topics, copy and paste this link into your browser URL

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9488
IssueSuccessfully follow KB a44880 to replace the RSA self-signed Certificates in AM 7.1.
Unable to activate server config changes.
Command failed. Exit code: 0
When performing Step 7,
rsautil manage-ssl-certificate --config-server --alias <alias> --keystore ..\server\security\<serverName>.jks --server-name AdminServer  or Proxy_Server or <servername_server>
Public Keys in reply and keystore don't match.        Public Keys in reply and keystore dont match.      Public Keys in reply and keystore do not match.
during Step 5 importing the RootCA Cert into the server or root or cacert keystores
rsautil manage-ssl-certificate --import --trustcacerts --alias <alias> --cert-file e:\<RootCA>.cer  --keystore ..\server\security\<serverName>.jks
java.io.EOFException: Dectected premature EOF  End of File EOF error
When performing step 6
rsautil manage-ssl-certificate --import --alias <alias> --cert-file e:\<certFile>.cer --keystore ..\server\security\<serverName>.jks
When attempting to apply newly imported replacement SSL Certs to the Admin Server (Step 7 in KB a44880) with the command:
rsautil manage-ssl-certificate --config-server --alias <aliasName> --keystore ../server/security/<serverName>.jks --server-name AdminServer 
errors out with:
Certificate chain received from 
<ServerName> was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.> 

Unable to connect to the server: <ServerName>:7006

Command failed. Exit code: 0
.
ResolutionUnable to activate server config changes. Command failed. Exit code: 0  -------------->  restart Authentication Manager Server and try again.
java.io.EOFException: Dectect premature EOF --------------> the Certificate file does not have both -----BEGIN CERTIFICATE----- and  -----END CERTIFICATE-----
                                                                                                  or there is a <CR> carriage return after the -----END CERTIFICATE-----
Public Keys in reply and keystore don't match  ---------------> make sure --trustcacerts included, or you are using the Server Cert Alias instead of the rootCA alias.
Certificate chain ... was not trusted ------------------> make sure RootCA imported, and any Intermediary CA Certificates.  Do not request with other than a SHA1 algorithm, only SHA1 supported, not SHA2 or
                                                                                     SHA512.  Do not allow the CA to add and critical extensions to the Certificate response file, or if they do, follow RSA docs, which state:
                                                                                     If you use a certificate that contains any extended key usage fields marked critical, both of the following key usage extensions must be present:
                                                                                     ? serverAuth (1.3.6.1.5.5.7.3.1) -- TLS Web server authentication
                                                                                     ? clientAuth (1.3.6.1.5.5.7.3.2) -- TLS Web client authentication
 
Legacy Article IDa64440

Attachments

    Outcomes