Article Number
000039951
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
RSA Version/Condition: Identity Router
Issue
The public certificate on the Cloud Administration Console > My Account > Company Settings > Company Information page was replaced, but the old certificate is still presented to the browser when users browse to the Application Portal.
Cause
There are two causes for this that are most likely. To narrow this down, browse to the identity router's setup page by opening a web browser and doing one of the following:
where <identityrouterIP> is the IP address of the identity router's management interface.
- For Amazon cloud-based identity routers, go to https://<identityrouterIP>:9786/setup.jsp,
where <identityrouterIP> is the private IP address of the identity router.
Once at the identity router's setup page, check what certificate is presented to the browser (search the internet for how to do this for the particular browser being used, if needed.)
Either the old certificate or the new certificate will be seen.
- If the old certificate is still seen, then it is possible that the changes made when uploading the new public certificate to the Cloud Administration Console were not saved and/or published, so the identity router did not get updated with the new certificate.
- If the new certificate is seen, this indicates that the identity router was updated with the new certificate. This scenario very likely means that users are accessing the Application Portal through a load balancer and that the load balancer is still presenting the old certificate when the Application Portal is accessed.
Resolution
Depending on whether the old or new public certificate was seen on the identity router's setup page from the test above, do one of the following:
- If the old certificate was seen on the identity router's setup page, verify that the new public certificate is uploaded to the Cloud Administration Console > My Account > Company Settings > Company Information page, save these settings, and then publish the new changes. Once the publish completes, browse to the Application Portal and verify that the new certificate is presented to the browser.
- If the new certificate was seen on the identity router's setup page, check to see if the load balancer used with the identity router(s) for the Application Portal needs to be updated to use the new public certificate or if it needs to have its cache cleared so that it presents the new certificate.