How to download the RSA Authentication Manager Console Root Certificate in DER format
17 days ago
Originally Published: 2026-02-24
Article Number
000073828
Applies To

RSA ID Plus

RSA Authentication Manager 8.2 SP1 and above

RSA Cloud Access Service

RSA Identity Router v12.24.x and later

Issue

When configuring a REST Agent (SecurID Authentication REST API) connection to RSA Authentication Manager (AM), the application/agent requires the AM root certificate to verify its TLS connection to AM.

Most REST Agents, including all RSA MFA Agents, need the AM root certificate in PEM format .

Some REST Agents, including the one used by RSA Identity Routers that connects the RSA Cloud Access Service (CAS) to AM, need the certificate in DER format. 

Tasks

Steps to get the certificate in DER format are provided for the below browsers running in Microsoft Windows:

Note:

  • The browser methods provided here are suitable when AM is using the default AM console certificate (generated by AM during AM installation), or when an AM administrator has replaced the AM console certificate.
  • The screenshots here are from Windows 11 Pro 25H2.  The user interface may differ on other Windows versions.

Google Chrome v145

  1. In Chrome, navigate to the AM Security Console, Operations Console or a Self-Service Console running on the AM primary.
  2. Click the View Site Information icon to the left of the URL in Chrome's address bar. 

Chrome View Site Information icon

  1. Click Connection is secure
  2. Click Certificate is valid
  3. A Certificate Viewer window will pop up.
  4. Click the Details tab at the top of the pop-up window.

Chrome Certificate Viewer Details tab

  1. In the Details window, the top section will be labelled Certificate Hierarchy.  That section lists the full certificate chain for the AM console.  The first certificate listed at the top (with a grey down triangle to the left of it) will be the AM console root certificate.  Click the name of the AM console root certificate, then click the Export button at the bottom right of the window.  Note:  in the image below, "RSA root CA for am" and "am" are example certificate names only.   The certificate names in your deployment will differ.

Certificate Hierarchy

  1. A Save As window will pop up allowing you to save the root certificate file to a folder on your computer.  Click the Save as type box and change it to the DER-encoded binary, single certificate (*.der) option before clicking Save.

Save As

Microsoft Edge v145

  1. In Edge, navigate to the AM Security Console, Operations Console or a Self-Service Console running on the AM primary.
  2. Click the padlock icon to the left of the URL in Edge's address bar. 

Microsoft Edge padlock icon

  1. Click Connection is secure
  2. A "Connection is secure" window will pop-up.  Click the small certificate icon to the left of the X in the upper right hand corner.

Connection is secure

  1. A Certificate Viewer window will pop up.
  2. Click the Details tab at the top of the pop-up window.

Chrome Certificate Viewer Details tab

  1. In the Details window, the top section will be labelled Certificate Hierarchy.  That section lists the full certificate chain for the AM console.  The first certificate listed at the top (with a grey down triangle to the left of it) will be the AM console root certificate.  Click the name of the AM console root certificate, then click the Export button at the bottom right of the window.  Note:  in the image below, "RSA root CA for am" and "am" are example certificate names only.   The certificate names in your deployment will differ.

Certificate Hierarchy

  1. A Save As window will pop up allowing you to save the root certificate file to a folder on your computer.  Click the Save as type box and change it to the DER-encoded binary, single certificate (*.der) option before clicking Save.

Save As

Mozilla Firefox

RSA recommend using Chrome or Edge rather than Firefox for this purpose.  At the time of writing, current versions of Mozilla Firefox only allow site certificates to be downloaded in PEM format.  Firefox does not support DER format downloads. 

However, if Firefox is the only option, the file can be downloaded in PEM format then converted to DER.

To download a certificate in PEM format and convert it to DER:

  1. Download the certificate in PEM format as described in Knowledge Base (KB) article 000063937 - How to export root certificates for RSA Authentication Manager, Identity Router, or Cloud Authentication Service.
  2. Copy the PEM format certificate file to a computer with openssl installed.
  3. From a command prompt on that computer (e.g. SSH, Command Prompt or PowerShell):
    1. cd to the folder where the certificate is saved
    2. Run the following command to convert the certificate to a DER format file:

openssl x509 -outform der -in cert.pem -out cert.der

Change:

cert.pem to the filename of the PEM format certificate

cert.der to the filename for the new DER format copy of the certificate

Other Browsers

Use the equivalent process to Chrome or Edge in other browsers.  If the browser does not support download of certificates in DER format, use the method explained for Firefox to convert the certificate file from PEM to DER format after download.

Notes

Downloading the root CA certificate from AM's Application Trust certificate store

Warning:  This method is not generally recommended because it will only download the correct certificate if AM is still using the default AM console certificate that was automatically generated by AM during AM installation.  If that original certificate has been replaced as a console certificate (e.g. due to your organization's security policy or because the original certificate expired), this method cannot be used.  If in doubt, do not use this method.

If you are certain that AM is still using its original AM console certificate generated during installation, you can use this method. To download the AM console root CA certificate from AM's Application Trust certificate store, follow the steps on page Download an Application Trust Certificate. Select the certificate named RSA Console Server Application Trust . You will only need the Root CA certificate from there. It will be downloaded by your browser to file RootCA.cer .

Certificate Filename Suffix

A certificate file can have any filename and the suffix can be any value, although there are naming conventions, e.g. .cer, .crt, .pem, or .der.  The suffix is not used to determine the certificate format. 

Microsoft Windows only:  if a certificate is in PEM or DER format and has a .cer or .crt filename suffix, and if the file is opened from Windows File Explorer, Windows will display a pop-up window showing the certificate's details.  You cannot tell when viewing a certificate this way whether it is in PEM or DER format.

How to check if a certificate is in PEM or DER format

PEM and DER are two different X.509 certificate encoding standards.   They are not encrypted formats so PEM and DER certificates can be read without needing a password.

You can check if a certificate is in PEM or DER format by viewing the certificate file in any text editor.  Below is an example of how the same root certificate appears in Windows Notepad in the two formats.

PEM Format Root Certificate

A PEM format certificate is an ASCII format so can be displayed by a text editor.  It will start with a "----- BEGIN CERTIFICATE -----" line and end with an "----- END CERTIFICATE -----" line. Between the two lines will be a block of Base64-encoded text.

Example PEM format certificate as it appears in Windows Notepad

DER Format Root Certificate

DER format is a binary-encoded format.  Consequently, most of it cannot be displayed correctly by a text editor.  However a few words, such as the certificate's subject, will be recognizable.

Example DER format certificate, displayed in Windows Notepad

 

Related Articles

Trending Articles

Don't see what you're looking for?