How to Install a Third Party Certificate into RSA enVision
Originally Published: 2007-09-12
Article Number
Applies To
RSA Product/Service Type: enVision
RSA Version/Condition: 3.7.x, 4.x
Issue
SSL
HTTPS
Certificate Error
Cause
If the default keypair is used then when you connect with a browser to the admin GUI you will get a certificate error as a warning. You may still proceed to the admin GUI remembering that the default key is being used.
Resolution
1. Backup the existing keystore file.
Login to the enVision server (A-Srv for LS, or ES) using the master account.
cd /d %_envision%\conf copy .keystore original.keystore
2. Generate a keystore certificate file.
..\jdk\jre\bin\keytool -genkey -keyalg RSA -keystore .keystore -validity 365 -alias tomcat -storepass enVision -keypass enVision What is your first and last name? [Unknown]: hostname What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is <CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown> correct ? [no]: yes
Note:
The -keypass and -storepass passwords are both “enVision”, and must not be changed.
The example shows a certificate -validity of 365 days (1 year), this value can be changed to something appropriate for your environment.
The first and last name is the machines hostname (without spaces and is case-sensitive). See the hostname from the output of the command, ipconfig /all |findstr Host
3. Create a certificate signing request (csr) file.
..\jdk\jre\bin\keytool -certreq -keyalg RSA -file certreq.csr -keystore .keystore -alias tomcat -keypass enVision -storepass enVision
4. (Optional) You can look at the content of the created certificate signing request (csr) text file, certreq.csr
For example:
type certreq.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrDCCARUCAQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UE BxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMH VW5rbm93bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5Yq5nsUPKFvOdGiTh/+cetP0tHH+ wgOszsYILP1iy9PjzqhmKZRqC+2igjC24jbMnhbixwnEPph2n0h+JBn8z+pma0FC1HCoItcGPslQ ObdrSWZG9C3dVpI+2NQ88lkGc/gK8roKsvhWUbnOgliwgYyG/fyfOl+ZbNnnicsPkPkCAwEAAaAA MA0GCSqGSIb3DQEBBAUAA4GBAJ7GpEk0S7mrGdM+QXAEv4k2cJZ5r/W4Sd2f8atJU3zyYy+tZv8p 21QpfoJnVC4Gd0coJ4i1Q//PorMMDixIWXQUdvRZQbTik8PY/hl++dDjIrRTgzWjP9E7KNuqc2wa P1GTnTIxCjttc1nqtLos9hRjKEdKMjmFUNIuAs378lrS -----END NEW CERTIFICATE REQUEST-----
5. Send the certreq.csr file to the third party you have chosen to sign the certificate, this may be an external company, or an internal certificate authority (CA).
In return, you will receive a number of certificates either as files or sometimes as an email listing with the locations to download the certificates.
Be sure to ask for a server certificate (at least TLS web server authentication, and SSL server extensions enabled). You should have at least two certificates files, often three or more.
6. The CA signs your request, encrypts it with a private key, and sends you a validated certificate.
The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.
Copy all the CA certificate files to the enVision server %_envision%\conf directory.
7. Install the root certificate first, using the password of “enVision”, and answering yes when the certificate details are displayed, and when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -trustcacerts -alias root -keystore .keystore -file location_of_root_cert.crt -storepass enVision Owner: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=user@company.com Issuer: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=user@company.com Serial number: 5ba1b42e6157511b406fefb3c524dc8e Valid from: Tue Dec 18 10:38:01 EST 2007 until: Sun Jan 02 10:54:13 EST 2011 Certificate fingerprints: MD5: 40:75:C1:EB:D0:26:4E:C9:9B:59:6D:58:F8:2F:6D:BE SHA1: 07:EF:D7:0D:35:0B:31:49:DE:20:0A:B7:8C:B9:28:B3:C0:CC:D2:2E Trust this certificate? [no]: yes Certificate was added to keystore
Any intermediate certificate must be installed next, using password of “enVision”, for example here are two intermediate certificates, and different alias names are invented for each one (the actual alias name for these is unimportant).
..\jdk\jre\bin\keytool -import -alias inter1 -keystore .keystore -file intermediate1.crt -storepass enVision Certificate was added to keystore ..\jdk\jre\bin\keytool -import -alias inter2 -keystore .keystore -file intermediate2.crt -storepass enVision Certificate was added to keystore
8. Install the signed server certificate, using password of “enVision”, and answering yes when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -alias tomcat -keystore .keystore -file server.crt -storepass enVision -keypass enVision Certificate reply was installed in keystore
9. Copy \jdk\jre\bin\.keystore to the %_envision%\conf directory.
copy %_envision%\jdk\jre\bin\.keystore %_envision%\conf
10. The root Certification Authority (and also the intermediate, if present) certificate has to be uploaded in the Microsoft computer trust store.
In Windows select, Start -> Run -> enter mmc -> OK Click File -> Add/Remove Snap-In -> select Certificates -> click Add Select Computer Account -> Next -> Finish -> OK From the Console Root open Certificates, and Trusted Root Certification Authorities Right-click Certificates -> All Tasks -> Import -> Next Browse to the CA Root certification file Next -> Next -> Finish Exit the mmc, and select not to save console settings.
11. Stop and restart the NIC Web Server service.
Note: Stopping the NIC Web Server service will result in the NIC Alerter service been stopped.
So after the NIC Web Server service returns to a “Started” state, restart the NIC Alerter service.
The installation is complete.
Related Articles
Duplicate groups are shown for a user in RSA Identity Governance & Lifecycle Number of Views MessageMedia SMS Gateway - On Demand Token Code Delivery Configuration - RSA Ready SecurID Access Implementation Guide Number of Views Oracle ASM Command Line (ASMCMD) does not work from Database Home in RSA Identity Governance & Lifecycle Number of Views SilverFort - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Auth Source on login screen changes randomly in SecurID Governance & Lifecycle Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
