Microsoft Internet Explorer 6.0
With NAT on the hostname of the RA the Common name of the certificate does not match the resolved Hostname of the server causing one of three IE browser security checks to fail.
This results in a popup warning that the site is not trusted. Two of three possible causes are flagged. The hostname mis-match is cited along with an inability to verify the certificate chain.
The browser has a Valicert Trusted Root certificate in the trusted root store, however this is not being associated with the Server SSL Certificate for the RSARM Even though the Root Certificate which signed the Server SSL Certificate was resigned by RSA which chains to Valicert.
To change the Common Name of the RA Certificate, Copy the Server SSL Certificate from
/<installed-dir>/WebServer/ssl/certs/enrollServer.cert
to the KCA
All external certificates must be copied to /<installed-dir>/WebServer/ssl/
extcerts/ before reissuing can occur.
____________________________________
To reissue an SSL Server certificate:
1. Click the Administrator Operations Workbench button.
2. In the Navigation Area, under Server Certificates, click Re-issue.
3. Select a signing CA from the drop-down list.
Only active CAs appear in the drop-down list.
4. Select a Jurisdiction from the other drop-down list.
The list shows only those Jurisdictions associated with the selected CA.
You will want to select the Same CA and Jurisdictions as the RA is used to administrate certificates for.
5. Select either the Internal Certificate or External Certificate option.
6. Select a certificate from the appropriate drop-down lists of all the internal
and external certificates.
7. Click Next.
The Re-issue Server Certificate page opens in the Content Area.
The new validity period, subject DN components and signing algorithm for
the server certificate are taken from the old certificate. You may want to
modify these values.
8. Select the Generate New Keypair checkbox if you want to generate new
SSL keys.
9. Click Next.
10. Click Re-Issue.
The new SSL keys are generated. The new MD5 for the certificate appears.
Replace the SSL Server Certificate on the RSARM with the resigned certificate.
You should no longer get the popup warning that the site is not trusted. You should go right into the RSARM Enrollment page without a Certificate Trust Warning popup.
You may need to clear certificates out of incorrect folders in the browser. Tools > Internet Options > Content > Certificates
The Browser is inexplicably placing the certifiates in the wrong stores and failing to verify the chain, because the certificates are in the wrong stores, when the Common Name mismatches.
Once the Common name mismatch issue is resolved, the certificates when freshly downloaded will go into the correct stores. Downloading the certificates to the correct stores manually will solve the chaining issue, but the name mismatch would remain.
Related Articles
How to set up a CRL Distribution Point in a certificate during certificate manual approval Number of Views TERMINATION_DATE from Oracle HRMS Authentication System is not getting stored in RSA Identity Governance and Lifecycle 7.0 Number of Views Error: Cannot connect to database. 'Access denied. The database cannot be accessed at this time. RSA ACE/Server database a… Number of Views AMPrime com.rsa.ucm.AuthManager.AmisCommandTargetException : Key not found Number of Views How to change the default Oracle Statistics History Retention period for RSA Identity Governance & Lifecycle Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
