|Applies To||Authentication Manager 7.1 SP4, AM 7.1 SP4, AM 7.1, Appliance 3.0.4|
SSL Certificate Replacement, Cert Replacement, update RSA self-signed certificates, update certs
Customer Support Training module, CSTM videos on Cert replacement and other topics, copy and paste this link into your browser URL
|Issue||Successfully follow KB a44880 to replace the RSA self-signed Certificates in AM 7.1.|
Unable to activate server config changes.
Command failed. Exit code: 0
When performing Step 7,
rsautil manage-ssl-certificate --config-server --alias <alias> --keystore ..\server\security\<serverName>.jks --server-name AdminServer or Proxy_Server or <servername_server>
Public Keys in reply and keystore don't match. Public Keys in reply and keystore dont match. Public Keys in reply and keystore do not match.
during Step 5 importing the RootCA Cert into the server or root or cacert keystores
rsautil manage-ssl-certificate --import --trustcacerts --alias <alias> --cert-file e:\<RootCA>.cer --keystore ..\server\security\<serverName>.jks
java.io.EOFException: Dectected premature EOF End of File EOF error
When performing step 6
rsautil manage-ssl-certificate --import --alias <alias> --cert-file e:\<certFile>.cer --keystore ..\server\security\<serverName>.jks
When attempting to apply newly imported replacement SSL Certs to the Admin Server (Step 7 in KB a44880) with the command:
rsautil manage-ssl-certificate --config-server --alias <aliasName> --keystore ../server/security/<serverName>.jks --server-name AdminServer
errors out with:
Certificate chain received from <ServerName> was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
Unable to connect to the server: <ServerName>:7006
Command failed. Exit code: 0.
|Resolution||Unable to activate server config changes. Command failed. Exit code: 0 --------------> restart Authentication Manager Server and try again.|
java.io.EOFException: Dectect premature EOF --------------> the Certificate file does not have both -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
or there is a <CR> carriage return after the -----END CERTIFICATE-----
Public Keys in reply and keystore don't match ---------------> make sure --trustcacerts included, or you are using the Server Cert Alias instead of the rootCA alias.
Certificate chain ... was not trusted ------------------> make sure RootCA imported, and any Intermediary CA Certificates. Do not request with other than a SHA1 algorithm, only SHA1 supported, not SHA2 or
SHA512. Do not allow the CA to add and critical extensions to the Certificate response file, or if they do, follow RSA docs, which state:
If you use a certificate that contains any extended key usage fields marked critical, both of the following key usage extensions must be present:
? serverAuth (22.214.171.124.126.96.36.199.1) -- TLS Web server authentication
? clientAuth (188.8.131.52.184.108.40.206.2) -- TLS Web client authentication
|Legacy Article ID||a64440|