Managing Digital Certs and CSR in RSA Authentication Manager

Written by JK | Sep 3, 2024 1:31:10 AM

How to clean up CSR's

You have created one or more CSR (certificate signing requests), not all can be fulfilled for numerous reasons and you want to clean them up

In the RSA Authentication Manager, creating Certificate Signing Requests (CSR) is a common task to ensure secure communication and authentication. However, not all CSR can be fulfilled due to a variety of reasons such as incorrect information, changes in security requirements, or even organizational policy updates. Over time, these unfulfilled requests can clutter your system, making it essential to clean them up to maintain an organized and efficient environment.

Cleaning up unfulfilled CSR involves identifying the requests that are no longer required and systematically removing them from the system. This process not only helps in keeping the system manageable but also enhances security by ensuring that outdated or incorrect requests do not pose any risk. The steps for cleaning up CSR typically include reviewing the pending requests, validating their necessity, and then using the RSA Authentication Manager's tools to delete or archive the unnecessary entries.

 

Before You Begin

Please take a backup or take a snapshot prior to any task.

Solution

1: SSH to the Primary AM appliance with PuTTy, logon with the Operating System Account, typically called rsaadmin.

The keytool is located in /opt/rsa/am/appserver/jdk/bin

The .jks keystores are located in /opt/rsa/am/server/security

The RSA Utility is located in /opt/rsa/am/utils

2: Get the SSL Server Identity Cert Keystore File Password – you need Operations Console OC Admin credentials to do this

/opt/rsa/am/utils/rsautil manage-secrets -a list

You have to highlight the whole password to copy and paste, and delete the spaces, so you get this MA8eMBMiDSWz6ApxEDLC2oeKWBhtZh as an example

Obviously your file password will be different.

3: Verify the Alias for your private key Next go to the security directory so you can access the Virtual Host keystores, which have the Virtual Host Key – seen in the Operations Console.

cd /opt/rsa/am/server/security/

This directory has two Virtual Host Keystores, one called vh-identity.jks which has the active Key/Cert, and vh-inactive.jks

Make a copy of those files.

sudo cp vh-identity.jks vh-identity.jks.ORIG

sudo cp vh-inactive.jks vh-inactive.jks.ORIG

 Here is the command to list the existing certificates.

/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-identity.jks

/opt/rsa/am/appserver/jdk/jre/bin/keytool -list-keystore /opt/rsa/am/server/security/vh-inactive.jks

Revert back to the self-signed certificate and run the commands above again to see the alias “your-alias” in vh-inactive.jks file

Delete the “your-alias” alias.

/opt/rsa/am/appserver/jdk/jre/bin/keytool -delete -alias “your-alias” -keystore /opt/rsa/am/server/security/vh-inactive.jks

Go to the RSA Authentication Manager 8.1 Primary Operations Console -> Deployment Configuration ->Certificates -> Virtual Host Certificate Management and the certificate is removed