How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings.
Article Number
Applies To
Issue
Since all RSA customers download Authentication Manager software in a secure manner with RSA digital signatures, the Authentication Manager Appliance is a very secure web site, therefore Authentication Manager users should import the RSA self-signed Root CA cert to be trusted.
To understand all of the implications why trusting the RSA self-signed Certificates have a look at Blog post from chief engineer/AM architect Piers Bowness on why replacement console certs does not make any sense with Authentication Manager
https://community.rsa.com/t5/securid-community-blog/rsa-authentication-manager-and-self-signed-certificates/ba-p/519457
In certain circumstances it can be dangerous. I worked with a customer where the GPO policy was to block browser access to 'untrusted' web sites. This customer needed to revert to an RSA self-signed certificate for maintenance work, and locked themselves out of the RSA security console because of this policy.
Authentication Manager is not a public commercial site, therefore the reason for publicly trusted certificates does not exist.It is at best a waste of money, at worst a potential S1 server down outage waiting to happen.
Tasks
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it.
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
Resolution
From the drop-down select Certificate or Certificate is not Valid (Might need to select Under Connection is not secure to see something with 'Certificate' in it.
When the display for the Certificate(s) pops-up, there will be a [General] Tab with general information about the certificates, the primary cert as well as the RSA self-signed Root Certificate. Select the [Details] tab.
Highlight the Root Cert, which covers the primary and all current and future replicas. Then click the [Export] button at bottom right, and save as a .cer or .crt file, base-64 encoded (default). Note file name and location, e.g. RSA_root_CA_for_<server>.crt.
2. Install RSA self-signed Authentication Manager Root CA certificate so that your browsers will trust it. First you need to allow your Security Settings to Allow trusted root CA and peer trust certs. This is done in Windows with the cmd secpol.msc, which you can type into the Windows search or at a CMD / Run prompt
2.a. secpol.msc - Define Policy settings to Allow trusted root CA and peer trust certs
Here you will Navigate to Public Key Policies - Certificate Path Validation Settings, and check off the
Define these policy settings
Allow trusted root CA to be used to validate certs
Allow peer trust certs
Click the [Apply] bottom right when these selections are made.
After these policy changes, you will need to import the RSA self-signed Root CA certificate that you exported in Step 1 above into Certificate Manager, certmgr.msc. This is done in Windows with the cmd certmgr.msc, which you can type into the Windows search or at a CMD / Run prompt.
2.b. certmgr.msc - Trusted Root Cert Authorities - All Tasks - Import .crt/.cer file from step 1
Notes
