Replace an Expired Console Certificate

If you replace the original console certificate with a certificate issued by a third-party certificate authority (CA), you must make sure that this third-party certificate is replaced before it expires. When the console certificate expires, you cannot start the Authentication Manager services after they are stopped.

If you stop Authentication Manager services on a deployment with an expired certificate, perform the following procedure. and then start the services.


  1. Log on to the appliance with the User ID rsaadmin and the current operating system password:

    • On a hardware appliance, the Amazon Web Services appliance or the Azure appliance, log on to the appliance using an SSH client.
    • On a VMware virtual appliance, log on to the appliance using an SSH client or the VMware vSphere client.

      On a Hyper-V virtual appliance, log on to the appliance using an SSH client , the Hyper-V System Center Virtual Machine Manager, or the Hyper-V Manager.

    For instructions, see Log On to the Appliance Operating System with SSH.

  2. Change the directory to utils. Type:

    cd /opt/rsa/am/utils

    and press ENTER.

  3. Run the following command to change the console certificate from the third-party certificate to the original certificate. Type the following, and press ENTER:

    ./rsautil reset-server-cert -u oc_admin_UserID

    -p oc_admin_password


    • oc_admin_UserID is the user name for an Operations Console administrator

    • oc_admin_password is the Operations Console administrator’s password

After you finish

Start the Authentication Manager Services. For instructions, see "Manage RSA Authentication Manager Services Manually" in the Administrator's Guide.