000013012 - When accessing the enrollment page or admin console on RCM/RRM  get certificate error on browser if certificate name does not match FQDN used in the URL

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013012
Applies ToRSA Certificate Manager 6.9
RSA Registration Manager 6.9
RSA OneStep 6.9
Microsoft Internet Explorer 7, 8, 9
IssueWhen accessing the enrollment page or admin console on RCM/RRM, get certificate error on browser if certificate name does not match FQDN used in the URL
Because of the way DNS is set up, not everyone can use the same FQDN as the one in RCM/RRM server certificate's Common Name
Is there a way to generate server certificates for RCM/RRM with Subject Alternative Name (SAN) extension to include additional names/IP addresses, so the error will not occur on the browsers?
CauseBy default, RSA Certificate Manager or Registration Manager server SSL certificates do not have any extensions (those are generated as v1 certs) and hence no option to add SAN (or any other) extension.  The System (and Administrative) CA jurisdictions have limited configuration options compared to other CA jurisdictions, and configuring extension profile or adding extensions through Certificate Attributes is NOT an option.
ResolutionA Request for Enhancement (RFE), CERTMGR-4298, has been submitted for a future version of RSA Certificate Manager and Registration Manager to have the ability to add extensions to the server SSL certificate as well as to the certificates for admin/vettor/auditor/KRO.

In the mean time, this limitation can be worked around by re-issuing the server certificates with additional CN attributes for the IP and/or hostnames required.  Follow the steps below as a workaround.

WORKAROUND:

Notes:
a) The following certificates are presented by RCM/RRM as server certificates for browser sessions:
      - used by admin server:  <RCM-or-RRM-install-folder>/WebServer/ssl/certs/adminServer.cert
      - used by enrollment server:  <RCM-or-RRM-install-folder>/WebServer/ssl/certs/enrollServer.cert
b) Make a full backup of RCM (and RRM) before proceeding.

A) Re-issue external facing RCM server certificates (adminServer.cert/enrollServer.cert):

1. Update 'System CA Jurisdiction' to allow additional CN attributes:
   - On RCM admin interface, go to CA Operations workbench
       => view System CA, then click Configure button under Jurisdiction Configuration section
       => under Sections drop-down, select Certificate Attributes
       => add as many additional CN (Common Name) attributes as you need

Notes:
   - For example, one CN attribute will already exist which is used for the initial default server name; you can add two more CN attributes, one used for IP address and the other used for a different hostname/alias for the server.
   - Make sure that 'Include in Subject DN' flag is set for each of the newly added CN attribute.
   - You can also optionally change the Label for each new CN attribute to make it more obvious what the new attribute will be used for.
   - Setting the flag 'Include in Subject Alternative Names Extension' does not work for System CA jurisdiction (where certificates would be issued/re-issued through Administrator Operations workbench).

       => Save changes in the jurisdiction

2. Re-issue RCM server certs:
   - On RCM admin interface, go to Administrator Operations workbench
       => click 'Re-issue' under Server Certificates
       => select System CA as the issuer, and System CA Jurisdiction as the jurisdiction
       => select adminServer.cert from the 'Internal Certificates' drop-down list
       => making sure that 'Internal Certificates' is selected, click on Next
       => fill out the additional CN attributes (enter IP and/or hostname as required)
       => click Next, then click Re-Issue>, new adminServer.cert will be generated

       => Follow the above steps for re-issuing enrollServer.cert

3. Restart RCM services so the new adminServer.cert and enrollServer.cert are picked up.


B) Re-issue external facing RRM server certificates (adminServer.cert/enrollServer.cert):

1. Determine the initial target jurisdiction and CA for RRM

2. Go to RCM admin interface, view the target CA then edit the target jurisdiction to include additional CN (Common Name) attributes. Follow steps similar to those in step #1 above for RCM server certs. Save the changes to target jurisdiction.

3. Copy RRM's adminServer.cert and enrollServer.cert to the following folder on RCM:
      RSA_CM/WebServer/ssl/extcerts

4. Re-issue RRM server certs:
   - On RCM admin interface, go to Administrator Operations workbench
       => click 'Re-issue' under Server Certificates
       => select target CA as the issuer, and target jurisdiction as the jurisdiction
       => select adminServer.cert from the 'External Certificates' drop-down list
       => making sure that 'External Certificates' is selected, click on Next
       => fill out the additional CN attributes (enter IP and/or hostname as required)
       => click Next, then click Re-Issue>, new adminServer.cert for RRM will be generated

       => Follow the above steps for re-issuing enrollServer.cert for RRM

5. Copy re-issued RRM's adminServer.cert and enrollServer.cert from the following RCM folder:
      RSA_CM/WebServer/ssl/extcerts
   to the following RRM folder:
      RSA_RM/WebServer/ssl/certs

6. Restart RRM services so the new adminServer.cert and enrollServer.cert are picked up.
NotesCERTMGR-4298
Legacy Article IDa62575

Attachments

    Outcomes