The cert for the Security Console on one of my Replica servers is expiring but the primary cert is still valid. Does each replica server need to have an individual cert deployed on it?
For the Security Console, each server allows upload of new certs in it's own Operations Console.
Thank you for the info.
When you deploy an Authentication Manager, AM Primary or Replica, a unique Key pair is generated and a default console Certificate with the public key is signed by an internal RSA Root Certificate. This certificate is used when anyone uses a browser to connect to the Security Console, and is also used between primary and replicas during promotion for maintenance, and is used during cross-realm or trusted realm connections between different primaries or deployments or realms. The fact that you deployed these AM servers with software or hardware or .ova files from RSA - checked against digital signatures could be enough for your company to 'trust' the RSA self-signed Certificates, but if not, you can replace the AM console certificates one of two ways;
1. by generating a CSR Certificate Signing Request in the Operations Console - this generates a key pair and retains the private key internal to the AM deployment, so that the Certificate Authority, CA can reply with a PKCS#7 file that does not have a password because there is no private key in it, the private key remained in the AM server
2. Using a 3rd party CSR, which generates the key pair outside of AM, so that when the CA signs the reply, it is in a PKCS#12 format which requires a password because the private key is included.
000030016 - How to replace the RSA Authentication Manager 8.1 SP1 self-signed console certificate with a certificate that uses SHA-256
Retrieving data ...