000033948 - How to replace an RSA Authentication Manager 8.x console SSL certificate without a Certificate Signing Request (CSR) from the Operations Console

Document created by RSA Customer Support Employee on Dec 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033948
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.1 SP1
IssueIf your Certificate Authority (CA), wants or requires that it generate the private key for the Authentication Manager server SSL console certificate replacement, and does not want a CSR from the Operations Console, you can refer to the section on "Replacing the Console Certificate," beginning on page 149 of the RSA Authentication Manager 8.2 Administrator's GuideThe CA needs to be informed of certain Authentication Manager certificate requirements and restrictions or the certificate will not import and will be considered invalid.

As shown below the following error will display:

There was a problem processing your request
The certificate or its signing CA is not valid.  Select another certificate to import, and try again.

  1. Inform the CA or third-party CSR of the Authentication Manager server certificate requirements
  2. Import the PKCS#12 formatted file (with a .pfx or .p12 extension) that the CA returns to you in the Operations Console.  This file will have a password, which will either be the file password or more likely the private key password.  Note that if the CA uses both file and private passwords, they need to be exactly the same.
  1. Request an SSL server certificate, that is a Netscape Cert Type or, according to page 149 of the RSA Authentication Manager 8.2 Administrator's Guidean SSL server certificate.  The Public Key should be RSA type, and the Common Name (CN) must equal the Fully Qualified Domain Name (FQDN) of the Authentication Manager server, which you will see in the Subject field.

SSL Server Cert

The certificate should be able to do digital signatures, key encipherment and data encipherment in the Critical Extensions field.  These will display in the key-usage field, as shown here:


  1. The RSA Authentication Manager 8.2 Administrator's Guide also states that If you generated a CSR using a third-party tool (that is, not in Authentication Manager but rather through your CA), the CA should create a PKCS#12 file with either a .pfx or .p12 extension, that includes the certificate file from your CA, the full trust chain of root and any intermediary signers and the private key for this new certificate.  This file will be password protected.  Import that one file in the Operations Console under Deployment Configuration > Certificates > Console Certificates.
NotesCompare a working certificate, even one that is self-signed by RSA, with the certificate that is invalid to determine what is needed.