000036083 - How to generate a Certificate Signing Request (CSR) with the Subject Alternative Name (SAN) field using openssl on RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Mar 21, 2018Last modified by RSA Customer Support Employee on Mar 21, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000036083
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
  • The RSA Authentication Manager Security Console, Operations Console and Virtual Host certificates do not have a Subject Alternative Name (SAN).
  • The Authentication Manager Operations Console generated a Certificate Signing Request (CSR) for a replacement console or virtual host certificate currently has no way to enter a SAN.
ResolutionTo resolve this issue,
  1. SSH to the RSA Authentication Manager server.
  2. Login as the  rsaadmin user with the operating system password created during setup.
  3. Create a new directory named /tmp/cert: 

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> mkdir /tmp/cert

  1. Navigate to the new directory:

rsaadmin@am82p:~> cd /tmp/cert

  1. Create a new configuration file named openssl_san.cnf.
  2. Using the text below as a template, cut and paste the text into the new openssl_san.cnf. 
  3. Save the file when done.

Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work

rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf
[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names] DNS.1 = server FQDN
DNS.2 = example1.com
DNS.3 = example2.com


  1. Use the following command to generate the CSR and private key.  

rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf

  1. Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
  2. Sign the CSR from your CA and download the full certificate chain (.p7b)

  • The following example is for when your CA is a Windows Server Domain Controller:
    1. In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example:
    2. Click the Request a Certificate link.
    3. Click the Advanced certificate request link.
    4. Click Submit a certificate.
    5. Paste the contents of your CSR file into the Saved Request text box.
    6. From the Certificate Template drop-down list, select Web Server.
    7. Click Submit.
    8. Choose DER Encoding and click Download Certificate Chain.

  1. Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on  the Authentication Manager server.
  2. SSH to the appliance and login as rsaadmin user with the operating system password.
  3. Navigate to /tmp/cert and run the following commands: 

    rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs
    rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert

Note: You will be prompted to enter a password in the last command.  This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.

  1. Login to the primary's Authentication Manager Operations Console.
  2. Navigate to Deployment Configuration > Certificates > Console Certificate Management.
  3. Click Import certificate.
  4. Click Choose File and browse to  the location of the console_certificate.p12 defined in  step 11.
  5. For Type of certificate to import, choose PKCS#12 (.pfx or .p12)
  6. Enter the password and click Import.
  7. In the Operations Console navigate to Deployment Configuration > Certificates Console Certificate Management
  8. Click on the newly imported certificate and select Activate.  The server will restart.
NotesIf you are planning to use this process for either a Web Tier or Virtual Host Certificate, then for steps 12 and 17 above, navigate to 
Deployment Configuration > Certificates > Virtual Host Certificate Management.