Article Number
000017517
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
This article explains how to export an SSL server certificate from an RSA Authentication Manager 8.x server.
Cause
The RSA Authentication Manager 8.x server now allows customers to use the Operations Console to import their own security certificate and use it to encrypt the SSL traffic for the Authentication Manager administrative consoles. The GUI does not provide an option to export that custom certificate and its private key should you want to move it to a new server.
Resolution
- Download KeyStore Explorer from the internet (Windows based).
- Download a copy of the certificate database from your Authentication Manager 8.x server and copy it to the server where you installed the KeyStore Explorer program. The certificate database is a file called webserver-identity.jks and it is located on the Authentication Manager 8.x server in /opt/rsa/am/server/security. You can use an SFTP client such as Win SCP or Filezilla to download a copy of the file from your Authentication Manager server.
- Lookup the certificate private key and keystore file passwords on the Authentication Manager 8.x server so you can use the KeyStore Explorer program to open and export the certificates. On the RSA server navigate to /opt/rsa/am/utils and run the following command:
./rsautil manage-secrets -a listall
- When you run the command, you will be prompted to enter the Operations Console administrator name and password. If you enter the correct account credentials the command will print a list of passwords to the screen. From that list you want to copy the SSL Server Identity Certificate Private Key Password and SSL Server Identity Certificate Keystore File Password, as shown in the example below. Note that your passwords will be different than the ones shown here:
SSL Server Identity Certificate Private Key Password ..: iGegdeO9ev1XG0Y10gIzaAeiLaXY5g
SSL Server Identity Certificate Keystore File Password : rkEoHHgSFzoMmKhqg4C4t0xckbR8NE
- Now you have all the information you need to extract your certificate from the jks store copied off the Authentication Manager 8.x server.
- Use the KeyStore Explorer program to open the keystore file (webserver-identity.jks).
- When prompted for a password enter the SSL Server Identity Certificate Keystore File Password captured above.
- Once the keystore is open, find the certificate you want to export in the list.
- Right click on the certificate name and choose Export > Export Key Pair. When prompted for a password, enter the SSL Server Identity Certificate Private Key Password.
- Export the data to a .p12 file and then use that to import the certificate and private key into your new Authentication Manager server. You may need to import the CA root and any intermediary certs from your certificate provider into the Authentication Manager 8.x server first.
Notes
A third-party tool called Keystore Manager can be used to extract the certificate and private key from the Authentication Manager 8.x server.
This process has only been tested in the RSA Support lab and has not been approved via the QA process. The tools used in this procedure are not provided by or warranted by RSA and we assume no responsibility for problems that may arise out of their use. Since this procedure has not been tested by QA RSA Support can only give best effort support if you have a problem with it?s use.