RSA Authentication Manager 8.x import of replacement certificate fails with the error This certificate is already imported
4 months ago
Originally Published: 2017-05-03
Article Number
000064368
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.2 SP1, 8.1 SP1
 
Issue

When importing a new web tier certificate, the following message is displayed:
           There was a problem processing your request

This certificate is already imported
 
OC_VirtualHostCert_already_imported.png


The /opt/rsa/am/server/logs/ops-console.log will also have the following message:

OC_CERT_IMPORT,26187,FAIL,UNEXPECTED_EXCEPTION,,,,,ocuser,,,,,,,,,"com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: 
This certificate is already imported


 

Cause
If you have not made the obvious mistake of actually trying to import the same certificate a second time, then the most likely explanation that you previously replaced this certificate, so that this is a second or later replacement, and therefore the root certificate and any intermediate CA certificates are already imported as part of the trust chain, AND you are importing a .p7b response file that contains the entire trust chain.
  • If the trust chain looks something like this, with the root CA at the top, any intermediary signing CA in the middle, and your server certificate at the bottom for a trust chain of three:
Cert_Path3.png
  • And the response file you are trying to import looks something like this, with the same trust chain of three (i. e., the root CA at top, the intermediary signing CA in the middle, and your server certificate at the bottom):
Cert_Path3_p7b.png

Then it is not your server certificate that was already imported.  It was one of the root certificates included in your server certificate response file that was already imported and is triggering the error  that this certificate is already imported.
Resolution
Extract the bottom server certificate; in this example, remoteaccess.ws.loc from your response file by writing just that certificate to its own .cer file.  
  1. Right click on the remoteaccess.ws.loc certificate at the bottom of the list and select Open.
Open Cert
 
  1. This will bring up the General tab:
Cert_Path3_p7b_remote.png
 
  1. Click on the Details tab and click Copy to File... in the lower right
Copy
 
  1. Click Next on the Certificate Export Wizard
Cert_Path3_p7b_remote_copy_Next.png
 
  1. Select DER encoded binary X.509 (.CER) and click Next.
Cert_Path3_p7b_remote_copy_Next_DER.png
 
  1. Give your exported Certificate a file name, such as amserver2017.cer.
filename
  1. Then Next and Finish.
  2. Import this file into the Operations Console.  If that import says you need the Signing Root Certificate, then repeat the above process for the Intermediary Signing Certificate
Workaround
You could either:
  • Delete the root CA and intermediary files immediately before trying this solution, see KB 000035095 How to delete old or pending CSRs
OR
  • Ask the Certificate Authority to provide you with separate root CA, intermediary and server certificate files.

Related Articles

Trending Articles

Don't see what you're looking for?