After upgrading to RSA Security Analytics 10.4.0.2, the public CA certificate that was installed at a previous version following the instructions in the knowledgebase article 26817 no longer appears to be present.
When navigating to the Security Analytics user interface, it once again shows invalid HTTPS connection with the message: "The identity of this website has not been verified."
In order to resolve some FIPS-related issues within Security Analytics, version 10.4.0.2 includes a Puppet module that changes the Jetty 9 web server keystore path from /opt/rsa/jetty9/etc/keystore to /opt/rsa/carlos/keystore, which is the default puppet keystore. This forces the Puppet CA certificate to be used for the user interface.
This can be verified by looking at the Certificate Information from the web browser, which will display information similar to the example below.
This issue will be addressed in Security Analytics 10.5, at which point it will be possible to import a custom CA certificate chain into the Puppet keystore.