I've asked my CA for new certs to comply with ATS. When I attempted to activate the new cert, I got an error that says "The certificate subject name does not match the hostname of this machine. Select another certificate to activate". He was hoping that I could use the same cert for our primary and replica servers. Is that not possible?
- application transport security
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
No Carla, the Device Certificates for AM Server Console access must be unique, so that the Subject field has CN = the FQDN of the specific AM server.
If you generate the Cert Signing Request, CSR in the Authentication Manager Operations Console, it will specify every thing you need and your Certificate Authority, CA will/should return a file or files that are the replacement Cert for the AM server, the Root CA signing Cert and any intermediary Signing Certs. Import the Root and any intermediary before the Server Cert.
If your CA wants to generate the private key for the AM server Cert, and does not want a CSR, Then refer to the AM Admin Guide but basically tell CA that you want to “request an SSL server certificate". Public Key should be RSA, the Common Name, CN must equal the Fully Qualified Domain Name, FQDN of the AM server, which we always see in the Subject field, and the Cert should be able to do Digital Signatures, Key Encipherment, and I beleive it also needs data encipherment, in the Critical Extensions field.The Admin Guide also says that If you generated a CSR using a third-party tool (ie. not in AM but thorugh your CA), the CA should create a PKCS#12 file (either .pfx or .p12 extension) that includes the certificate file from your CA, the full Trust chain of Root and any intermediary Signers and the private key for this new certificate. This file will be password protected and you import that one file in the Ops Console. Under Deployment Config - Certs - Console Certs