How to clean up CSR's
In the RSA Authentication Manager, creating Certificate Signing Requests (CSR) is a common task to ensure secure communication and authentication. However, not all CSR can be fulfilled due to a variety of reasons such as incorrect information, changes in security requirements, or even organizational policy updates. Over time, these unfulfilled requests can clutter your system, making it essential to clean them up to maintain an organized and efficient environment.
Cleaning up unfulfilled CSR involves identifying the requests that are no longer required and systematically removing them from the system. This process not only helps in keeping the system manageable but also enhances security by ensuring that outdated or incorrect requests do not pose any risk. The steps for cleaning up CSR typically include reviewing the pending requests, validating their necessity, and then using the RSA Authentication Manager's tools to delete or archive the unnecessary entries.
Before You Begin
Please take a backup or take a snapshot prior to any task.
Solution
1: SSH to the Primary AM appliance with PuTTy, logon with the Operating System Account, typically called rsaadmin.The keytool is located in /opt/rsa/am/appserver/jdk/bin
The .jks keystores are located in /opt/rsa/am/server/security
The RSA Utility is located in /opt/rsa/am/utils
2: Get the SSL Server Identity Cert Keystore File Password – you need Operations Console OC Admin credentials to do this/opt/rsa/am/utils/rsautil manage-secrets -a list
You have to highlight the whole password to copy and paste, and delete the spaces, so you get this MA8eMBMiDSWz6ApxEDLC2oeKWBhtZh as an example
Obviously your file password will be different.
3: Verify the Alias for your private key Next go to the security directory so you can access the Virtual Host keystores, which have the Virtual Host Key – seen in the Operations Console.cd /opt/rsa/am/server/security/
This directory has two Virtual Host Keystores, one called vh-identity.jks which has the active Key/Cert, and vh-inactive.jks
Make a copy of those files.
sudo cp vh-identity.jks vh-identity.jks.ORIG
sudo cp vh-inactive.jks vh-inactive.jks.ORIG
Here is the command to list the existing certificates.
/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-identity.jks
/opt/rsa/am/appserver/jdk/jre/bin/keytool -list-keystore /opt/rsa/am/server/security/vh-inactive.jks
Revert back to the self-signed certificate and run the commands above again to see the alias “your-alias” in vh-inactive.jks file
Delete the “your-alias” alias.
/opt/rsa/am/appserver/jdk/jre/bin/keytool -delete -alias “your-alias” -keystore /opt/rsa/am/server/security/vh-inactive.jks
Go to the RSA Authentication Manager 8.1 Primary Operations Console -> Deployment Configuration ->Certificates -> Virtual Host Certificate Management and the certificate is removed