000031090 - This certificate or its signing CA is not valid error when importing a certificate chain in RSA Authentication Manager 8.x Operations Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 10, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031090
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueAfter signing the Certificate Signing Request (CSR) from a Certificate Authority (CA), importing the signed certificate chain (p7b file) fails with the error below:
There was a problem processing your request.
This certificate or its signing CA is not valid. Select another certificate to import, and try again.

User-added image

The following error is present in the /opt/rsa/am/server/logs/AdminServerWrapper.log:

com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: Command ended with an error.
keytool error: java.lang.Exception: Input not an X.509 certificate

ResolutionInstead of importing the full certificate chain once in a single p7b file, split the p7b file into multiple cer files and import them one by one. To do this, follow the steps below:
  1. Copy the p7b file to any Windows machine, then double click the file to open it.
  2. On the left panel, expand the p7b container, then click on the Certificates container.
    User-added image
  3. From the right panel, locate and double click the root certificate.
  4. Under the Details panel, click Copy to File...
    User-added image
  5. Choose DER encoded binary X.509 (.CER) for the format, then click Next.
    User-added image
  6. On the next page click Browse... to choose the export location of the certificate file, then click Next.
    User-added image
  7. Repeat steps 3 to 6 for each certificate in the chain (all intermediate certificates and the signed server certificate).
  8. Now login to the Operations Console and import each .cer created in the above steps one by one.
    • If you are importing a Console Certificate, select Deployment Configuration > Certificates > Console Certificate Management > Import Certificate.
    • If you are importing a Virtual Host Certificate, select Deployment Configuration > Certificates Virtual Host Certificate Management > Import Certificate.
  9. Browse and import each of the certificates created in the above steps. Start with the root certificate first, then each intermediate certificate along the chain and finally the signed server certificate.