How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings.
Authentication Manager 8.x all versions
The RSA Authentication Manager Security Appliance is deployed with RSA self-signed Certificates, which are not signed by any of the Public Certificate Authorities, e.g. DigiCert, GoDaddy, Verisign, Komodo, etc... So default browsers report the AM appliance as Untursted.
Since all RSA customers download Authentication Manager software in a secure manner with RSA digital signatures, the Authentication Manager Appliance is a very secure web site, therefore Authentication Manager users should import the RSA self-signed Root CA cert to be trusted.
In certain circumstances it can be dangerous. I worked with a customer where the GPO policy was to block browser access to 'untrusted' web sites. This customer needed to revert to an RSA self-signed certificate for maintenance work, and locked themselves out of the RSA security console because of this policy.
Authentication Manager is not a public commercial site, therefore the reason for publicly trusted certificates does not exist.It is at best a waste of money, at worst a potential S1 server down outage waiting to happen.
1.Export RSA self-signed Root CA with browser 2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it. 2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs 2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
1.Export RSA self-signed Root CA with browser, by clicking into the Not Secure area of the URL in front of your AM primary Security Console URL https://<name>:7004/console-ims Image description From the drop-down select Certificate or Certificate is not Valid (Might need to select Under Connection is not secure to see something with 'Certificate' in it. Image description When the display for the Certificate(s) pops-up, there will be a [General] Tab with general information about the certificates, the primary cert as well as the RSA self-signed Root Certificate. Select the [Details] tab. Image description Highlight the Root Cert, which covers the primary and all current and future replicas. Then click the [Export] button at bottom right, and save as a .cer or .crt file, base-64 encoded (default). Note file name and location, e.g. RSA_root_CA_for_<server>.crt.
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it. First you need to allow your Security Settings to Allow trusted root CA and peer trust certs. This is done in Windows with the cmd secpol.msc, which you can type into the Windows search or at a CMD / Run prompt 2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs Image description
Here you will Navigate to Public Key Policies - Certificate Path Validation Settings, and check off the Define these policy settings Allow trusted root CA to be used to validate certs Allow peer trust certs Click the [Apply] bottom right when these selections are made. Image description After these policy changes, you will need to import the RSA self-signed Root CA certificate that you exported in Step 1 above into Certificate Manager, certmgr.msc. This is done in Windows with the cmd certmgr.msc, which you can type into the Windows search or at a CMD / Run prompt. 2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1 Image description
There are alternate ways to accomplish step 2, including using the MMC and CMD line certutil -addstore root <path>\<filename>.cer or .crt