To resolve this issue,
- SSH to the RSA Authentication Manager server.
- Login as the rsaadmin user with the operating system password created during setup.
- Create a new directory named /tmp/cert:
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> mkdir /tmp/cert
- Navigate to the new directory:
rsaadmin@am82p:~> cd /tmp/cert
- Create a new configuration file named openssl_san.cnf.
- Using the text below as a template, cut and paste the text into the new openssl_san.cnf.
- Save the file when done.
Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work
rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf
[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names] DNS.1 = server FQDN
DNS.2 = example1.com
DNS.3 = example2.com
~
~
~
:wq!
- Use the following command to generate the CSR and private key.
rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf
- Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
- Sign the CSR from your CA and download the full certificate chain (.p7b)
- The following example is for when your CA is a Windows Server Domain Controller:
- In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example: http://10.0.2.80/certsrv
- Click the Request a Certificate link.
- Click the Advanced certificate request link.
- Click Submit a certificate.
- Paste the contents of your CSR file into the Saved Request text box.
- From the Certificate Template drop-down list, select Web Server.
- Click Submit.
- Choose DER Encoding and click Download Certificate Chain.
- Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on the Authentication Manager server.
- SSH to the appliance and login as rsaadmin user with the operating system password.
- Navigate to /tmp/cert and run the following commands:
rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs
rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert
Note: You will be prompted to enter a password in the last command. This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.
- Login to the primary's Authentication Manager Operations Console.
- Navigate to Deployment Configuration > Certificates > Console Certificate Management.
- Click Import certificate.
- Click Choose File and browse to the location of the console_certificate.p12 defined in step 11.
- For Type of certificate to import, choose PKCS#12 (.pfx or .p12).
- Enter the password and click Import.
- In the Operations Console navigate to Deployment Configuration > Certificates > Console Certificate Management
- Click on the newly imported certificate and select Activate. The server will restart.
| 
on Mar 21, 2018