This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replacement certificates

Article Number

000035095

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x, 8.1, 8.1 SP1, 8.2, 8.2 SP1

Issue

The Authentication Manager Operations Console allows you to create Certificate Signing Requests (CSR) for replacement certificates for both the console and virtual hosts, but does not allow you to delete old or pending CSRs.  You can do this with keytool in Linux by modifying the certificate keystore JKS file for either console certificates or for virtual host certificates.  Earlier versions of Authentication Manager did not have the capability to delete old CSRs from the Operations Console, which could result in a very long display.

Image descriptionImage description

Resolution

  1. Access the RSA Authentication Manager server via a direct connection or with SSH, using an application such as PuTTy.  
  2. Login with the rsaadmin username and associated password.
  3. Go to /opt/rsa/am/utils.
  4. Run the ./rsautil manage-secrets -a list com.rsa.signing.key command to capture the SSL Server Identity Certificate Keystore File Password.
  5. When prompted, enter the Operations Console admin username and password.
  6. The signing key data is displayed.

​login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed May 24 15:33:27 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter Operations Console user name>
Please enter OC Administrator password: <enter Operations Console password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_r06oo8su
Command API Client User Password ......................: idQl1P2AephUEFrTe87Wbmz6KyOe8R
SSL Server Identity Certificate Private Key Password ..: lBSeudECmvYIlkeMHM4bkwstOdav8s
SSL Server Identity Certificate Keystore File Password : xHZc6S9j1ZGLCLFWJLn9PyA7Uy3i6i
Root Certificate Private Key Password .................: FoxETkO49g4fh6Cixbji7RGcPJrCqF
Root Certificate Keystore File Password ...............: BB3aNkbU4uaEoNbURuTflnqd7Kcuna
  1. Note the SSL Server Identity Certificate Keystore File Password. Highlight this in order to paste it into the keytool prompt in step 10 below to access the JKS keystore file.
  2. Make a backup copy of the certificate keystore JKS file that you plan to modify.
  • Console certificates are stored in /opt/rsa/am/server/security/webserver-inactive.jks.
  • Virtual host certificates are stored in /opt/rsa/am/server/security/vh-inactive.jks.

cd /opt/rsa/am/server/security/
cp webserver-inactive.jks webserver-inactive.jks.bak
cp vh-inactive.jks vh-inactive.jks.bak
  1. List the specific CSR by alias.  Look in the Operations Console for the alias of your Console or Virtual Host Certificate.  Alias is the first column in the UI.
Image descriptionImage description
  1. Highlight the SSL Server Identity Certificate Keystore File Password obtained in step 6 above.
  2. Run the following command.
  3. When prompted, paste in the SSL Server Identity Certificate Keystore File Password by right-clicking once in the session and pressing Enter. The interface will not display the password string.

rsaadmin@am82p:/opt/rsa/am/server/security> ../../appserver/jdk/jre/bin/keytool -list -keystore ./vh-inactive.jks
Enter keystore password: <enter Host Certificate Private Key Password from above>

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* Has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

rsa-am-ca, Jul 21, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 81:B5:68:35:E2:B8:2C:C9:FA:BE:67:B5:C3:4A:CC:02:A9:35:CB:A6
virtualhost-id-key, Jul 21, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 49:49:13:1E:6C:5C:55:63:9E:BA:12:61:8E:9F:60:74:9F:92:E9:34
rsaadmin@am82p:/opt/rsa/am/server/security>
  1. Once you have successfully listed the CSR by the alias of the CSR you want to delete, simply up arrow to the list command and change list to delete.  For example,

../../appserver/jdk/jre/bin/keytool -list -alias tokenhelp -keystore ./vh-inactive.jks
  1. If the alias tokenhelp displays, then up arrow and change to delete.

../../appserver/jdk/jre/bin/keytool -delete -alias tokenhelp -keystore ./vh-inactive.jks


Other examples

  • List virtual host CSR with alias of VH_2017:

../../appserver/jdk/jre/bin/keytool -list -alias VH_2017 -keystore ./vh-inactive.jks
  • List all console CSRs:

../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks
  • List a Console CSR with the alias of rsa prod internal (alias with spaces):

../../appserver/jdk/jre/bin/keytool -list -alias "rsa prod internal" -keystore ./webserver-inactive.jks

Notes

The -v switch gives verbose output in the list command, which includes serial numbers and dates.
Warning, do not delete anything that is listed as 'PrivateKeyEntry'.  Other services can use the default self-signed key, or the replacement console key.

List all CSRs, Certificates, and Keys.
Image descriptionImage description
See the many entries called 'trustedCertEntry' including the one with alias CSRfrom1999.
List by Alias, e.g. alias = CSRfrom1999.
Image descriptionImage description
Use up arrow to edit the list command, and change 'list' to 'delete'

Note 2: Every time you generate a CSR in the Authentication Manager Operations Console, you also generate a new key pair, which effectively invalidates all previous CSRs because only the latest key pair is maintained.  Therefore, if you follow these steps, you will not be able to activate the first imported CSR response file because the public key inside it will not match with the current private key:
  1. Generate a CSR.
  2. Have the first CSR signed.
  3. Generate a second CSR.
  4. Import the first signed CSR.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 11:15 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.