When you deploy an Authentication Manager, AM Primary or Replica, a unique Key pair is generated and a default console Certificate with the public key is signed by an internal RSA Root Certificate. This certificate is used when anyone uses a browser to connect to the Security Console, and is also used between primary and replicas during promotion for maintenance, and is used during cross-realm or trusted realm connections between different primaries or deployments or realms. The fact that you deployed these AM servers with software or hardware or .ova files from RSA - checked against digital signatures could be enough for your company to 'trust' the RSA self-signed Certificates, but if not, you can replace the AM console certificates one of two ways;
1. by generating a CSR Certificate Signing Request in the Operations Console - this generates a key pair and retains the private key internal to the AM deployment, so that the Certificate Authority, CA can reply with a PKCS#7 file that does not have a password because there is no private key in it, the private key remained in the AM server
2. Using a 3rd party CSR, which generates the key pair outside of AM, so that when the CA signs the reply, it is in a PKCS#12 format which requires a password because the private key is included.
https://community.rsa.com/docs/DOC-46109
