000035095 - How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replacement certificates

Document created by RSA Customer Support Employee on May 31, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035095
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThe Authentication Manager Operations Console allows you to create Certificate Signing Requests (CSR) for replacement certificates for both the console and virtual hosts, but does not allow you to delete old or pending CSRs.  You can do this with keytool in Linux by modifying the certificate keystore JKS file for either console certificates or for virtual host certificates
  1.  Access the RSA Authentication Manager server via a direct connection or with SSH, using an application such as PuTTy.
  2. Get the SSL server identity certificate keystore file password.
  3. Make a backup copy of the certificate keystore jks file that you plan to modify.
    • Console certificates are stored in /opt/rsa/am/server/security/webserver-inactive.jks
    • Virtual Host Certs are stored in /opt/rsa/am/server/security/vh-inactive.jks
  4. List the specific CSR by alias5.
  5. Delete specific CSR by alias.
  1. Access the RSA Authentication Manager server via a direct connection or with SSH, using an application such as PuTTy.  
  2. Login with the rsaadmin user name and associated password.
  3. Navigate to /opt/rsa/am/utils.
  4. Run the ./rsautil manage-secrets -a list com.rsa.signing.key command to capture the SSL Server Identity Certificate Keystore File Password.
  5. When prompted, enter the Operations Console admin user name and password.
  6. The signing key data is displayed.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed May 24 15:33:27 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter Operations Console user name>
Please enter OC Administrator password: <enter Operations Console password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_r06oo8su
Command API Client User Password ......................: idQl1P2AephUEFrTe87Wbmz6KyOe8R
SSL Server Identity Certificate Private Key Password ..: lBSeudECmvYIlkeMHM4bkwstOdav8s
SSL Server Identity Certificate Keystore File Password : xHZc6S9j1ZGLCLFWJLn9PyA7Uy3i6i
Root Certificate Private Key Password .................: FoxETkO49g4fh6Cixbji7RGcPJrCqF
Root Certificate Keystore File Password ...............: BB3aNkbU4uaEoNbURuTflnqd7Kcuna

  1. Note the SSL Server Identity Certificate Keystore File Password. Highlight this in order to paste it into the keytool prompt in step 10 below to access the JKS keystore file.
  2. Make a backup copy of the certificate keystore JKS file that you plan to modify.
  • Console certificates are stored in /opt/rsa/am/server/security/webserver-inactive.jks.
  • Virtual host certificates are stored in /opt/rsa/am/server/security/vh-inactive.jks.
cd /opt/rsa/am/server/security/
cp webserver-inactive.jks webserver-inactive.jks.bak
cp vh-inactive.jks vh-inactive.jks.bak

  1. List the specific CSR by alias.  Look in the Operations Console for the alias of your Console or Virtual Host Certificate.  Alias is the first column in the UI.
OC Certs alias

  1. Highlight the SSL Server Identity Certificate Keystore File Password obtained in step 6 above.
  2. Run the following command.
  3. When prompted, paste in the SSL Server Identity Certificate Keystore File Password by right clicking once in the session and pressing Enter.  The interface will not display the password string.
rsaadmin@am82p:/opt/rsa/am/server/security> ../../appserver/jdk/jre/bin/keytool -list -keystore ./vh-inactive.jks
Enter keystore password: <enter Host Certificate Private Key Password from above>
*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
rsa-am-ca, Jul 21, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 81:B5:68:35:E2:B8:2C:C9:FA:BE:67:B5:C3:4A:CC:02:A9:35:CB:A6
virtualhost-id-key, Jul 21, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 49:49:13:1E:6C:5C:55:63:9E:BA:12:61:8E:9F:60:74:9F:92:E9:34

  1. Once you have successfully listed the CSR by alias of the CSR you want to delete, simply up arrow to the list command and change list to delete.  For example,
../../appserver/jdk/jre/bin/keytool -list -alias tokenhelp -keystore ./vh-inactive.jks

  1. If the alias tokenhelp displays, then up arrow and change to delete
../../appserver/jdk/jre/bin/keytool -delete -alias tokenhelp -keystore ./vh-inactive.jks

Other examples

  • List virtual host CSR with alias of VH_2017:
../../appserver/jdk/jre/bin/keytool -list -alias VH_2017 -keystore ./vh-inactive.jks

  • List all console CSRs:
../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks

  • List a Console CSR with the alias of rsa prod internal (alias with spaces):
../../appserver/jdk/jre/bin/keytool -list -alias "rsa prod internal" -keystore ./webserver-inactive.jks
NotesThe -v switch gives verbose output in the list command, which includes serial numbers and dates.
Every time you generate a CSR in the Authentication Manager Operations Console, you also generate a new key pair, which effectively invalidates all previous CSRs because only the latest key pair is maintained.  Therefore, if you follow these steps, you will not be able to activate the first imported CSR response file because the public key inside it will not match with the current private key:
  1. Generate a CSR.
  2. Have the first CSR signed.
  3. Generate a second CSR.
  4. Import the first signed CSR.