SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000068206
Applies To
Authentication Manager 8.x all versions
Issue
The RSA Authentication Manager Security Appliance is deployed with RSA self-signed Certificates, which are not signed by any of the Public Certificate Authorities, e.g. DigiCert, GoDaddy, Verisign, Komodo, etc... So default browsers report the AM appliance as Untursted.
Image description
Since all RSA customers download Authentication Manager software in a secure manner with RSA digital signatures, the Authentication Manager Appliance is a very secure web site, therefore Authentication Manager users should import the RSA self-signed Root CA cert to be trusted.
To understand all of the implications why trusting the RSA self-signed Certificates have a look at Blog post from chief engineer/AM architect Piers Bowness on why replacement console certs does not make any sense with Authentication Manager
https://community.rsa.com/t5/securid-community-blog/rsa-authentication-manager-and-self-signed-certificates/ba-p/519457
In certain circumstances it can be dangerous. I worked with a customer where the GPO policy was to block browser access to 'untrusted' web sites. This customer needed to revert to an RSA self-signed certificate for maintenance work, and locked themselves out of the RSA security console because of this policy.
Authentication Manager is not a public commercial site, therefore the reason for publicly trusted certificates does not exist.It is at best a waste of money, at worst a potential S1 server down outage waiting to happen.
Image descriptionSince all RSA customers download Authentication Manager software in a secure manner with RSA digital signatures, the Authentication Manager Appliance is a very secure web site, therefore Authentication Manager users should import the RSA self-signed Root CA cert to be trusted.
To understand all of the implications why trusting the RSA self-signed Certificates have a look at Blog post from chief engineer/AM architect Piers Bowness on why replacement console certs does not make any sense with Authentication Manager
https://community.rsa.com/t5/securid-community-blog/rsa-authentication-manager-and-self-signed-certificates/ba-p/519457
In certain circumstances it can be dangerous. I worked with a customer where the GPO policy was to block browser access to 'untrusted' web sites. This customer needed to revert to an RSA self-signed certificate for maintenance work, and locked themselves out of the RSA security console because of this policy.
Authentication Manager is not a public commercial site, therefore the reason for publicly trusted certificates does not exist.It is at best a waste of money, at worst a potential S1 server down outage waiting to happen.
Task
1.Export RSA self-signed Root CA with browser
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it.
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it.
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
Resolution
1.Export RSA self-signed Root CA with browser, by clicking into the Not Secure area of the URL in front of your AM primary Security Console URL https://<name>:7004/console-ims
Image description
From the drop-down select Certificate or Certificate is not Valid (Might need to select Under Connection is not secure to see something with 'Certificate' in it.
Image description
When the display for the Certificate(s) pops-up, there will be a [General] Tab with general information about the certificates, the primary cert as well as the RSA self-signed Root Certificate. Select the [Details] tab.
Image description
Highlight the Root Cert, which covers the primary and all current and future replicas. Then click the [Export] button at bottom right, and save as a .cer or .crt file, base-64 encoded (default). Note file name and location, e.g. RSA_root_CA_for_<server>.crt.
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it. First you need to allow your Security Settings to Allow trusted root CA and peer trust certs. This is done in Windows with the cmd secpol.msc, which you can type into the Windows search or at a CMD / Run prompt
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
Image description
Here you will Navigate to Public Key Policies - Certificate Path Validation Settings, and check off the
Define these policy settings
Allow trusted root CA to be used to validate certs
Allow peer trust certs
Click the [Apply] bottom right when these selections are made.
Image description
After these policy changes, you will need to import the RSA self-signed Root CA certificate that you exported in Step 1 above into Certificate Manager, certmgr.msc. This is done in Windows with the cmd certmgr.msc, which you can type into the Windows search or at a CMD / Run prompt.
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
Image description
Image descriptionFrom the drop-down select Certificate or Certificate is not Valid (Might need to select Under Connection is not secure to see something with 'Certificate' in it.
Image descriptionWhen the display for the Certificate(s) pops-up, there will be a [General] Tab with general information about the certificates, the primary cert as well as the RSA self-signed Root Certificate. Select the [Details] tab.
Image descriptionHighlight the Root Cert, which covers the primary and all current and future replicas. Then click the [Export] button at bottom right, and save as a .cer or .crt file, base-64 encoded (default). Note file name and location, e.g. RSA_root_CA_for_<server>.crt.
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it. First you need to allow your Security Settings to Allow trusted root CA and peer trust certs. This is done in Windows with the cmd secpol.msc, which you can type into the Windows search or at a CMD / Run prompt
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
Image descriptionHere you will Navigate to Public Key Policies - Certificate Path Validation Settings, and check off the
Define these policy settings
Allow trusted root CA to be used to validate certs
Allow peer trust certs
Click the [Apply] bottom right when these selections are made.
Image descriptionAfter these policy changes, you will need to import the RSA self-signed Root CA certificate that you exported in Step 1 above into Certificate Manager, certmgr.msc. This is done in Windows with the cmd certmgr.msc, which you can type into the Windows search or at a CMD / Run prompt.
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
Image descriptionNotes
There are alternate ways to accomplish step 2, including using the MMC and CMD line certutil -addstore root <path>\<filename>.cer or .crt
In this article
