This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle

Article Number

000039236

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.x
 

Issue

Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. What this means is that when new server and client keystores are generated, they will be generated with a Subject Key Identifier (SKI) extension that is exactly 160 bits (20 Octet) in size. Prior to 7.2.0, certificates were generated with greater than 20 octets which potentially flagged Remote AFX Agents and Remote Collection Agents as security risks and blocked communication to these agents via firewalls. See related RSA Knowledge Base Article 000039238 -- Firewall is blocking Remote AFX Agents and Remote Collection Agents from communicating with the Application Server in RSA Identity Governance & Lifecycle for more information.

An example of a non RFC-compliant certificate (SKI > 20 octets) is shown below. Most octets are redacted but that is what the redaction is covering:
 
Image descriptionImage description

 

Resolution

A new installation of RSA Identity Governance & Lifecycle 7.2.0 will come with already RFC-compliant certificates. If this is an upgrade from a prior version, the certificates need to be regenerated. Server and client certificates are generated through the RSA Identity Governance & Lifecycle user interface. See RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle for information on how to generate new server and client certificates. 

Note: This only needs to be done if you have Remote AFX Agents and/or Remote Collection Agents. If certificates are not regenerated, the firewall issue mentioned above will continue to occur and multiple Remote AFX Server failures may also occur. See related RSA Knowledge Base Article 000039237 -- Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle for more information.

An example of an RFC-compliant certificate (SKI restricted to 20 octets) is shown below. Although redacted, you can see the difference between this Subject Key Identifier and the one above.
 
Image descriptionImage description

 

Notes

For more information on the RFC-5280 standard see the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-24 04:21 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.