Delete unwanted Certificate Signing Requests (CSR) from the RSA Authentication Manager Operations Console Certificate Management interface
Originally Published: 2014-03-28
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Resolution
To remove any outstanding Certificate Signing Requests (CSR) that are in the pending state you can use the following information.
Before following the steps below,
- Login to the primary Authentication Manager's Operations Console.
- From Maintenance > Backup and Restore > Backup Now to take backup of the database.
- Certificate Signing Requests (CSR) are left in a pending state reside in a file called /opt/rsa/am/server/security/webserver-inactive.jks. Before making any change always make a backup so navigate to the /opt/rsa/am/server/security folder and make a copy of the webserver-inactive.jks file. Open an SSH session to the Authentication Manager primary and login as the rsaadmin user. Run the following commands to create the backup:
cd /opt/rsa/am/server cp webserver-inactive.jks webserver-inactive.jks.BAK
- To remove the CSR aliases from /opt/rsa/am/server/security/webserver-inactive.jks, the administrator will require the SSL Server Identity Certificate Keystore File Password. This can be obtained using the command ./rsautil manage-secrets -a list com.rsa.signing.key in the /opt/rsa/am/utils directory. In this instance, the SSL Server Identity Certificate Keystore File Password is g972SpITERSGMtYCZWevKd4UTVuZUw. Yours will be different
rsaadmin@app81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key Please enter OC Administrator username: <enter the name of the Operations Console administrative user> Please enter OC Administrator password: <enter the password the Operations Console administrative user> Secrets stored in ./etc/systemfields.properties. Command API Client User ID ............................: CmdClient_9uwbaoze Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3 Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX The "listkeys" action displays the key names to use when setting the values. rsaadmin@app81p:/opt/rsa/am/utils>
- List the contents of the webserver-inactive.jks file using the keytool utility at the command line to confirm the alias you want to delete actually exists. For example:
rsaadmin@app81p:/opt/rsa/am> /opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/webserver-inactive.jks Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password capture in step 4> Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries app81poc, Mar 27, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): 3E:75:75:8F:82:34:B6:64:BC:6E:F1:FF:35:F8:AA:3B rsa am internal ca, Dec 2, 2013, trustedCertEntry, Certificate fingerprint (MD5): 92:45:C9:B6:09:25:3E:4A:53:2F:6B:49:EA:E3:BF:17 rsa am default server cert, Dec 2, 2013, PrivateKeyEntry, Certificate fingerprint (MD5): DD:C7:65:A8:74:36:EE:24:47:36:C4:8F:39:48:EB:89 rsaadmin@app81p:/opt/rsa/am>
Note that the webserver-inactive.jks file contains three entries. In this example the alias app81poc is a pending entry. The other two entries are the defaults.
- To delete the unwanted alias (in the example app81oc), an administrator can use the keytool utility at the command line, run the following command:
rsaadmin@app81p:/opt/rsa/am> /opt/rsa/am/appserver/jdk/jre/bin/keytool -delete -alias app81poc -keystore /opt/rsa/am/server/security/webserver-inactive.jks Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password capture in step 5>
- Check the pending entry has been removed from the RSA Operations Console under Deployment Configuration > Certificates > Console Certificate Management.
Related Articles
How to delete old or pending certificate signing requests for RSA Authentication Manager console or virtual host replaceme… Number of Views How to delete the RSA Authentication Manager 8.x virtual host Certificate Signing Requests (CSR) which show Pending/Inactive Number of Views Generate a Certificate Signing Request Using the Operations Console Number of Views How to Generate SSL Certificate Request and Private Key from the RSA SecurID Access Admin Console Number of Views How to generate a Certificate Signing Request (CSR) with the Subject Alternative Name (SAN) field using openssl on RSA Aut… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Release Notes for RSA Authentication Manager 8.8 RSA-2026-04: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities
Don't see what you're looking for?
