To resolve this issue,
- SSH to the RSA Authentication Manager server.
- Login as the rsaadmin user with the operating system password created during setup.
- Create a new directory named /tmp/cert:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> mkdir /tmp/cert
- Navigate to the new directory:
rsaadmin@am82p:~> cd /tmp/cert
- Create a new configuration file named openssl_san.cnf.
- Using the text below as a template, cut and paste the text into the new openssl_san.cnf.
- Save the file when done.
Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work
rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf [ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN) [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server FQDN DNS.2 = example1.com DNS.3 = example2.com ~ ~ ~ :wq!
- Use the following command to generate the CSR and private key.
rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf
- Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
- Sign the CSR from your CA and download the full certificate chain (.p7b)
- The following example is for when your CA is a Windows Server Domain Controller:
- In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example: http://10.0.2.80/certsrv
- Click the Request a Certificate link.
- Click the Advanced certificate request link.
- Click Submit a certificate.
- Paste the contents of your CSR file into the Saved Request text box.
- From the Certificate Template drop-down list, select Web Server.
- Click Submit.
- Choose DER Encoding and click Download Certificate Chain.
- Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on the Authentication Manager server.
- SSH to the appliance and login as rsaadmin user with the operating system password.
- Navigate to /tmp/cert and run the following commands:
rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert
Note: You will be prompted to enter a password in the last command. This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.
- Login to the primary's Authentication Manager Operations Console.
- Navigate to Deployment Configuration > Certificates > Console Certificate Management.
- Click Import certificate.
- Click Choose File and browse to the location of the console_certificate.p12 defined in step 11.
- For Type of certificate to import, choose PKCS#12 (.pfx or .p12).
- Enter the password and click Import.
- In the Operations Console navigate to Deployment Configuration > Certificates > Console Certificate Management
- Click on the newly imported certificate and select Activate. The server will restart.
|