SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000035126
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.2 SP1, 8.1 SP1
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.2 SP1, 8.1 SP1
Issue
When importing a new web tier certificate, the following message is displayed:
Image description
The /opt/rsa/am/server/logs/ops-console.log will also have the following message:
This certificate is already imported
Image descriptionThe /opt/rsa/am/server/logs/ops-console.log will also have the following message:
OC_CERT_IMPORT,26187,FAIL,UNEXPECTED_EXCEPTION,,,,,ocuser,,,,,,,,,"com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException:
This certificate is already imported
Cause
If you have not made the obvious mistake of actually trying to import the same certificate a second time, then the most likely explanation that you previously replaced this certificate, so that this is a second or later replacement, and therefore the root certificate and any intermediate CA certificates are already imported as part of the trust chain, AND you are importing a .p7b response file that contains the entire trust chain.
Image description
Image description
Then it is not your server certificate that was already imported. It was one of the root certificates included in your server certificate response file that was already imported and is triggering the error that this certificate is already imported.
- If the trust chain looks something like this, with the root CA at the top, any intermediary signing CA in the middle, and your server certificate at the bottom for a trust chain of three:
Image description- And the response file you are trying to import looks something like this, with the same trust chain of three (i. e., the root CA at top, the intermediary signing CA in the middle, and your server certificate at the bottom):
Image descriptionThen it is not your server certificate that was already imported. It was one of the root certificates included in your server certificate response file that was already imported and is triggering the error that this certificate is already imported.
Resolution
Extract the bottom server certificate; in this example, remoteaccess.ws.loc from your response file by writing just that certificate to its own .cer file.
Image description
Image description
Image description
Image description
Image description
Image description
- Right click on the remoteaccess.ws.loc certificate at the bottom of the list and select Open.
Image description- This will bring up the General tab:
Image description- Click on the Details tab and click Copy to File... in the lower right
Image description- Click Next on the Certificate Export Wizard
Image description- Select DER encoded binary X.509 (.CER) and click Next.
Image description- Give your exported Certificate a file name, such as amserver2017.cer.
Image description- Then Next and Finish.
- Import this file into the Operations Console. If that import says you need the Signing Root Certificate, then repeat the above process for the Intermediary Signing Certificate
Workaround
You could either:
- Delete the root CA and intermediary files immediately before trying this solution, see KB 000035095 How to delete old or pending CSRs
OR
- Ask the Certificate Authority to provide you with separate root CA, intermediary and server certificate files.
In this article
