Certificate Management for Secure Sockets Layer

Secure Sockets Layer (SSL) is enabled by default for communication ports that are used for RSA Authentication Manager administration and replication. When you deploy an instance of AM, communication is secured by a long-lived SSL certificate. This certificate is unique to your deployment, and it is signed by an internal RSA certificate authority (CA).

Because this SSL certificate is signed by an internal RSA CA, your browser may present a warning message that the default certificate cannot be verified. If an Online Certificate Status Protocol (OCSP) client is deployed, you may receive a message that revocation list information is not available. This is expected behavior.

To continue, click the option that allows your browser to proceed or to connect to an untrusted site. For example, your browser might ask you to click a link that reads “I Understand the Risks.”

To prevent this warning message from appearing, you must add the internal RSA CA to your browser’s trusted root certificate list, or replace the RSA certificate with one that is signed by a certificate authority that is trusted by your browser.

Note:  If you use dynamic seed provisioning (CT-KIP) to distribute software tokens for iOS, RSA recommends that you use a certificate that is signed by a trusted certificate authority.

See your browser documentation for instructions about adding the internal RSA CA to your browser’s list of trusted root certification authorities.