This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to export Web Tier Virtual Host Key Pair to a PFX file for RSA Authentication Manager 8.0 and 8.1

Article Number

000032627

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 8.0, 8.1 
Platform (Other): Web Tier Virtual Host
 

Issue

An administrator needs to locate the key pair from the Authentication Manager instance in order to generate a PKCS#12 (.pfx) file for a load balancer for example, an F5). The administrator has already generated the certificate signing request (CSR), had a Certificate Authority (CA) sign the CSR and imported the matching certificate via the Operations Console under Deployment ConfigurationCertificatesVirtual Host Certificate Management.

 

Task

Tasks to be performed by an administrator are as follows:
  1. Launch an SSH client, such as PuTTY.
  2. Login to the Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. To open the JKS keystore holding the key pair an administrator must obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password.
  2. Check the Alias for the key pair.
  3. Export only the key pair to a new JKS keystore.
  4. Convert the JKS keystore to PKCS#12 format generating a PFX file.
  5. Obtain a copy of the PFX file from the Authentication Manager instance using a secure FTP client, such as FileZilla or WinSCP. 
  6. Close the SSH session.

Resolution

Perform the tasks at the command line where SSH has been enabled via the Operations Console:

  1. Login to the Operations Console and navigate to Administration > Operating System Access.
  2. Check the option to Enable SSH.
  3. Click Save.

NOTE: The password for the rsaadmin account is created during the deployment of the Authentication Manager instance and is unknown to RSA Customer Support.

  • ​The keytool is used to perform the tasks with the JKS keystores and keytool is located in /opt/rsa/am/appserver/jdk/bin.
  • The JKS keystores are located in /opt/rsa/am/server/security.
  • The rsautil is located in /opt/rsa/am/utils.


Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password

  1. Navigate to the utils folder
cd /opt/rsa/am/utils
  1. Obtain the required passwords (signing keys) for unlocking the JKS keystores​
rsaadmin@app81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter the name of the Operations Console administrator>
Please enter OC Administrator password: <enter the password of the Operations Console administrator>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_9uwbaoze
Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f
SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU
SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw
Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3
Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX
 

The "listkeys" action displays the key names to use when setting the values.
rsaadmin@app81p:/opt/rsa/am/utils>

Check the Alias for the key pair

  1. An administrator can use the Operations Console to access Deployment ConfigurationCertificatesVirtual Host Certificate Management to check the Alias of the key pair entry.  For example:
Image descriptionImage description
  1. An administrator can check the contents of the required JKS keystore at the command line.
    1. Navigate to /opt/rsa/am/server/security:
cd /opt/rsa/am/server/security
  1. Display the contents of the JKS keystore (vh-inactive.jks) with the command ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks.  Note that the SSL Server Identity Certificate Keystore File Password is required to unlock the JKS keystore.  For example:
rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password:  <enter the SSL Server Identity Certificate Keystore File Password captured above in step 2 for Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password>

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: selfservice
Creation date: Jun 20, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=mark.bell@rsa.com, CN=selfservice.csau.ap.rsa.net, OU=CS, O=RSA, L=Sydney, ST=NSW, C=AU
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 2d00000004979cbf90acd43dd4000000000004
Valid from: Tue Jun 20 09:36:19 EST 2017 until: Thu Jun 20 09:36:19 EST 2019
Certificate fingerprints:
         MD5:  E3:F9:C2:7B:BD:A6:A5:07:CF:CE:DA:50:8F:93:1E:46
         SHA1: 42:ED:F2:41:76:ED:14:FC:1E:D5:E6:00:B9:F9:E0:75:0E:6E:5B:59
         Signature algorithm name: SHA256withRSA
         Version: 3
Certificate[2]:
Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9
Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022
Certificate fingerprints:
         MD5:  2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3
         SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
         Signature algorithm name: SHA256withRSA
         Version: 3


*******************************************
*******************************************



Alias name: selfservice-signing-ca
Creation date: Jun 20, 2017
Entry type: trustedCertEntry

Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net
Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9
Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022
Certificate fingerprints:
         MD5:  2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3
         SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
         Signature algorithm name: SHA256withRSA
         Version: 3


*******************************************
*******************************************


Alias name: rsa-am-ca
Creation date: Jun 20, 2017
Entry type: trustedCertEntry

Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: -79217c0c7b67e63bef60e85a0263e555
Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037
Certificate fingerprints:
         MD5:  62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30
         SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C
         Signature algorithm name: SHA1withRSA
         Version: 3


*******************************************
*******************************************


Alias name: virtualhost-id-key
Creation date: Jun 20, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: SERIALNUMBER=372302feed2e7006d6e382ea9f1621f26fac9ec7c58d46b17085801ff7d1f228, CN=selfservice.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: 3e26c3d9a3556994a90be1cd6f334b09
Valid from: Mon Jun 19 09:40:19 EST 2017 until: Sun Jun 20 09:40:19 EST 2027
Certificate fingerprints:
         MD5:  97:83:19:8C:AD:09:4F:76:5E:F4:B1:DD:16:5E:6A:AF
         SHA1: 43:49:AE:E1:6D:28:49:17:FD:1E:CF:C1:05:58:7E:9B:95:B6:5B:A4
         Signature algorithm name: SHA1withRSA
         Version: 3
Certificate[2]:
Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net
Serial number: -79217c0c7b67e63bef60e85a0263e555
Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037
Certificate fingerprints:
         MD5:  62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30
         SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C
         Signature algorithm name: SHA1withRSA
         Version: 3


*******************************************
*******************************************


rsaadmin@app81p:/opt/rsa/am/server/security>

 

Export only the key pair to a new JKS container using the Alias

  1. To export the key pair (in this example called selfservice) into a new JKS keystore (created in /tmp) use the command ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice  -destkeystore  /tmp/export.jks.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice -destkeystore /tmp/test.jks
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
[Storing /tmp/test.jks]
rsaadmin@app81p:/opt/rsa/am/server/security>

  • The destination password is provided by the administrator (e. g., password01) for the new JKS keystore.
  • The source keystore password is the SSL Server Identity Certificate Keystore File Password.
  • The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.


Convert the JKS keystore to PKCS#12 format generating a PFX file​

  1. To convert the new JKS keystore into a PFX file use the following command: ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx.  For example:

rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <selfservice>
Entry for alias selfservice successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing /tmp/keypair.pfx]
rsaadmin@app81p:/opt/rsa/am/server/security>

  • IMPORTANT:  The destination password is the SSL Server Identity Certificate Private Key Password 
  • The source keystore password was set by the administrator when creating the new JKS keystore in /tmp.
  • The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.

The PFX file is protected with a password and the key pair in the PFX file is also protected by a signing key/password. It is important that these passwords match else it will cause a problem when using the PFX file with another utility (e. g., OpenSSL) or importing the PFX file into a web browser.


For example, the following is a Certificate Import Wizard error for Microsoft Internet Explorer:
 
Image descriptionImage description

Older Windows platforms may report the following:
 
Image descriptionImage description

Notes

This solution does not work in Authentication Manager 8.2. This article will be updated at at later date.

Private keys need to be handled with care and handled securely.  
  • ​Do not leave files containing key pairs exposed on a file server or remote share.  
  • Ensure the appropriate protection is given that meets your company, organization or facilities security requirements and/or policies.
 

IMPORTANT: Should an administrator use openSSL to convert the PFX file to a PEM formatted file, then the password used to protect the PFX file must match the SSL Server Identity Certificate Private Key Password.  Where the PFX password does not match the SSL Server Identity Certificate Private Key Password then this will generate an error.

For example:
rsaadmin@app81p:/opt/rsa/am/server/security> openssl pkcs12 -in /tmp/keypair.pfx -out /tmp/keypair.pem -nodes
Enter Import Password: <enter the SSL Server Identity Certificate Private Key Password>
MAC verified OK

Error outputting keys and certificates
140190678206120:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140190678206120:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140190678206120:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
rsaadmin@app81p:/opt/rsa/am/server/security>

 

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 10:12 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.