How to generate a Certificate Signing Request (CSR) with the Subject Alternative Name (SAN) field using openssl on RSA Authentication Manager 8.x
Originally Published: 2018-02-28
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- The RSA Authentication Manager Security Console, Operations Console and Virtual Host certificates do not have a Subject Alternative Name (SAN).
- The Authentication Manager Operations Console generated a Certificate Signing Request (CSR) for a replacement console or virtual host certificate currently has no way to enter a SAN.
Note: The information in this article is interesting but no longer useful. Rather than running the openssl command, login to the Operations Console and navigate to Deployment Configuration > Console Certificate Management > Generate CSR. There is a field to add SAN information.
Resolution
- SSH to the RSA Authentication Manager server.
- Login as the rsaadmin user with the operating system password created during setup.
- Create a new directory named /tmp/cert:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> mkdir /tmp/cert
- Navigate to the new directory:
rsaadmin@am82p:~> cd /tmp/cert
- Create a new configuration file named openssl_san.cnf.
- Using the text below as a template, cut and paste the text into the new openssl_san.cnf.
- Save the file when done.
Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work
rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf [ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN) [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server FQDN DNS.2 = example1.com DNS.3 = example2.com ~ ~ ~ :wq!
- Use the following command to generate the CSR and private key.
rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf
- Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
- Sign the CSR from your CA and download the full certificate chain (.p7b)
- The following example is for when your CA is a Windows Server Domain Controller:
- In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example: http://10.0.2.80/certsrv
- Click the Request a Certificate link.
- Click the Advanced certificate request link.
- Click Submit a certificate.
- Paste the contents of your CSR file into the Saved Request text box.
- From the Certificate Template drop-down list, select Web Server.
- Click Submit.
- Choose DER Encoding and click Download Certificate Chain.
- Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on the Authentication Manager server.
- SSH to the appliance and login as rsaadmin user with the operating system password.
- Navigate to /tmp/cert and run the following commands:
rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert
Note: You will be prompted to enter a password in the last command. This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.
- Login to the primary's Authentication Manager Operations Console.
- Navigate to Deployment Configuration > Certificates > Console Certificate Management.
- Click Import certificate.
- Click Choose File and browse to the location of the console_certificate.p12 defined in step 11.
- For Type of certificate to import, choose PKCS#12 (.pfx or .p12).
- Enter the password and click Import.
- In the Operations Console navigate to Deployment Configuration > Certificates > Console Certificate Management
- Click on the newly imported certificate and select Activate. The server will restart.
Notes
If you are planning to use this process for either a Web Tier or Virtual Host Certificate, then for steps 12 and 17 above, navigate to
Deployment Configuration > Certificates > Virtual Host Certificate Management.
Related Articles
XudaInstanceOf failed to get xuda_cert_req object! result = 48 Number of Views How to Generate SSL Certificate Request and Private Key from the RSA SecurID Access Admin Console Number of Views Single quote character ' in CN breaks JavaScript code when using RSA Certificate Manager Number of Views Obtain Trace Data for ACE/Server 5.x Number of Views Program Error: 'req-authorize.xuda: Line 518: [XrcNOTFOUND] unable to locate requested member or object. Unable to sign ce… Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
