This article explains how to export an SSL server certificate from an RSA Authentication Manager 8.x server .jks file using KeyStore Explorer, KSE.

There are two.jks file keystores in /opt/rsa/am/server/security that hold the replaced AM certificate and associated key pair, 

webserver-identity.jks for Security Console certificates, and

vh-identity.jks for Virtual host replacement certificates

Make a backup copy of the file you want to export the private key from, usually vh-identity.jk to import the private key into a Load Balancer in-front of the Web Tier. Move this backup copy of the .jks to Windows where KSE is running.

You will need the 

both

SSL Server Identity Certificate Private Key Password 

SSL Server Identity Certificate Keystore File Password

from 

./rsautil manage-secrets -a list com.rsa.signing.key

The RSA Authentication Manager 8.x server now allows customers to use the Operations Console to import their own security certificate and use it to encrypt the SSL traffic for the Authentication Manager administrative consoles. The GUI does not provide an option to export that custom certificate and its private key should you want to move it to a new server.

You can also export the Virtual Host VHost Cert and private key to a .pfx or .p12 file to import the private key to a Load Balancer e.g. F5, that can then terminate TLS connections from clients on the Internet and distribute those requests across multiple Web Tiers

1. Download KeyStore Explorer from the internet (Windows based).
2. Download a copy of the certificate database from your Authentication Manager 8.x server and copy it to the server where you installed the KeyStore Explorer program. The certificate database is a file called webserver-identity.jks and it is located on the Authentication Manager 8.x server in /opt/rsa/am/server/security. You can use an SFTP client such as Win SCP or Filezilla to download a copy of the file from your Authentication Manager server.
3. Lookup the certificate private key and keystore file passwords on the Authentication Manager 8.x server so you can use the KeyStore Explorer program to open and export the certificates. On the RSA server navigate to /opt/rsa/am/utils and run the following command:

./rsautil manage-secrets -a listall

4. When you run the command, you will be prompted to enter the Operations Console administrator name and password. If you enter the correct account credentials the command will print a list of passwords to the screen. From that list you want to copy the SSL Server Identity Certificate Private Key Password and SSL Server Identity Certificate Keystore File Password, as shown in the example below.  Note that your passwords will be different than the ones shown here:

SSL Server Identity Certificate Private Key Password ..: iGegdeO9ev1XG0Y10gIzaAeiLaXY5g
SSL Server Identity Certificate Keystore File Password : rkEoHHgSFzoMmKhqg4C4t0xckbR8NE

5. Now you have all the information you need to extract your certificate from the jks store copied off the Authentication Manager 8.x server.
6. Use the KeyStore Explorer program to open the keystore file (webserver-identity.jks for Security Console cert, vhost-identity.jks for Virtual host).
7. When prompted for a password enter the  SSL Server Identity Certificate Keystore File Password captured above.
8. Once the keystore is open, find the certificate you want to export in the list.
9. Right click on the certificate name and choose Export > Export Key Pair. When prompted for a password, enter the SSL Server Identity Certificate Private Key Password.
10. Export the data to a .p12 file and then use that to import the certificate and private key into your new Authentication Manager server. You may need to import the CA root and any intermediary certs from your certificate provider into the Authentication Manager 8.x server first.

A third-party tool called Keystore Manager [aka KeyStore Explorer KSE] can be used to extract the certificate and private key from the Authentication Manager 8.x server.
 
This process has only been tested in the RSA Support lab and has not been approved via the QA process. The tools used in this procedure are not provided by or warranted by RSA and we assume no responsibility for problems that may arise out of their use. Since this procedure has not been tested by QA RSA Support can only give best effort support if you have a problem with it?s use.