000035126 - RSA Authentication Manager 8.x import of replacement certificate fails with the error This certificate is already imported

Document created by RSA Customer Support Employee on May 31, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035126
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.2 SP1, 8.1 SP1
 
IssueWhen importing a new web tier certificate, the following message is displayed:
 
This certificate is already imported
 

OC_VirtualHostCert_already_imported.png

The /opt/rsa/am/server/logs/ops-console.log will also have the following message:
OC_CERT_IMPORT,26187,FAIL,UNEXPECTED_EXCEPTION,,,,,ocuser,,,,,,,,,"com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: 
This certificate is already imported

 
CauseIf you have not made the obvious mistake of actually trying to import the same certificate a second time, then the most likely explanation that you previously replaced this certificate, so that this is a second or later replacement, and therefore the root certificate and any intermediate CA certificates are already imported as part of the trust chain, AND you are importing a .p7b response file that contains the entire trust chain.
  • If the trust chain looks something like this, with the root CA at the top, any intermediary signing CA in the middle, and your server certificate at the bottom for a trust chain of three:
Cert_Path3.png

  • And the response file you are trying to import looks something like this, with the same trust chain of three (i. e., the root CA at top, the intermediary signing CA in the middle, and your server certificate at the bottom):
Cert_Path3_p7b.png

Then it is not your server certificate that was already imported.  It was one of the root certificates included in your server certificate response file that was already imported and is triggering the error  that this certificate is already imported.
ResolutionExtract the bottom server certificate; in this example, remoteaccess.ws.loc from your response file by writing just that certificate to its own .cer file.  
  1. Right click on the remoteaccess.ws.loc certificate at the bottom of the list and select Open.
Open Cert
 

  1. This will bring up the General tab:
Cert_Path3_p7b_remote.png
 

  1. Click on the Details tab and click Copy to File... in the lower right
Copy
 

  1. Click Next on the Certificate Export Wizard
Cert_Path3_p7b_remote_copy_Next.png
 

  1. Select DER encoded binary X.509 (.CER) and click Next.
Cert_Path3_p7b_remote_copy_Next_DER.png
 

  1. Give your exported Certificate a file name, such as amserver2017.cer.
filename

  1. Then Next and Finish.
  2. Import this file into the Operations Console.  If that import says you need the Signing Root Certificate, then repeat the above process for the Intermediary Signing Certificate
WorkaroundYou could either:
  • Delete the root CA and intermediary files immediately before trying this solution, see KB 000035095 How to delete old or pending CSRs
OR

  • Ask the Certificate Authority to provide you with separate root CA, intermediary and server certificate files.

Attachments

    Outcomes