Identity router (IDR) becomes distressed after adding and publishing new wildcard certificate in RSA SecurID Access
Originally Published: 2020-01-14
Article Number
Applies To
RSA Product/Service Type: Identity Router
Issue
- Follow the documentation on adding a wildcard certificate Cloud Authentication Service Certificates as a .pem certificate.
- Publish the changes to the Identity Router.
- The keystoreService is stopped, and changes are not published. The Identity Router then goes into a distressed state.
Errors reported in the Identity Router Logs, are as follows:
2019-07-16/13:39:17.679/UTC [ServiceMonitor] WARN com.symplified.service.shared.manager.ServiceMonitor[174] - Failed to start keystoreService since Tue Jul 16 13:38:06 UTC 2019 (70 seconds), retrying... com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:64) at com.symplified.service.shared.manager.ServiceMonitor.startServices(ServiceMonitor.java:119) at com.symplified.service.shared.manager.ServiceMonitor.run(ServiceMonitor.java:45) Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137) at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:59) ... 2 more Caused by: java.security.cert.CertificateException: Could not generate certificate: at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source) at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:234) at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:211) at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:76) at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
Cause
The .pem certificate contains a private key section, which begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, as shown here:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ... bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh z3P668YfhUbKdRF6S42Cg6zn -----END PRIVATE KEY-----
Resolution
- Use openssl to convert the .pfx certificate to .pem without including the private key using the command shown here:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
- Extract the private key from a .pfx to a key file and remove the password from the extracted private key:
# openssl pkcs12 -in filename.pfx -nocerts -out server.key -nodes
- Import the certificate, private key, and chain in the Company Settings page in the Cloud Administration Console.
- Publish the changes.
Workaround
- Manually remove the section for the encrypted private key using a text editor from the .pem files.
- Reapply the certificate on the cloud admin console.
- Publish the changes.
Related Articles
Webserver failed to start - Lockbox fingerprint has changed Number of Views Disable On-Demand Authentication for a User Number of Views iPlanet Web Server will not install when 'nobody' is selected as the system user Number of Views RSA AM 7.1 - Radius attribute ID name and value returned upon completion of successful authentication. Number of Views Adding a Global Catalog to RSA Authentication Manager 8.x Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
