How to generate a Certificate Signing Request (CSR) with the Subject Alternative Name (SAN) field using openssl on RSA Authentication Manager 8.x
Originally Published: 2018-02-28
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- The RSA Authentication Manager Security Console, Operations Console and Virtual Host certificates do not have a Subject Alternative Name (SAN).
- The Authentication Manager Operations Console generated a Certificate Signing Request (CSR) for a replacement console or virtual host certificate currently has no way to enter a SAN.
Note: The information in this article is interesting but no longer useful. Rather than running the openssl command, login to the Operations Console and navigate to Deployment Configuration > Console Certificate Management > Generate CSR. There is a field to add SAN information.
Resolution
- SSH to the RSA Authentication Manager server.
- Login as the rsaadmin user with the operating system password created during setup.
- Create a new directory named /tmp/cert:
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am82p:~> mkdir /tmp/cert
- Navigate to the new directory:
rsaadmin@am82p:~> cd /tmp/cert
- Create a new configuration file named openssl_san.cnf.
- Using the text below as a template, cut and paste the text into the new openssl_san.cnf.
- Save the file when done.
Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work
rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf [ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN) [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server FQDN DNS.2 = example1.com DNS.3 = example2.com ~ ~ ~ :wq!
- Use the following command to generate the CSR and private key.
rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf
- Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
- Sign the CSR from your CA and download the full certificate chain (.p7b)
- The following example is for when your CA is a Windows Server Domain Controller:
- In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example: http://10.0.2.80/certsrv
- Click the Request a Certificate link.
- Click the Advanced certificate request link.
- Click Submit a certificate.
- Paste the contents of your CSR file into the Saved Request text box.
- From the Certificate Template drop-down list, select Web Server.
- Click Submit.
- Choose DER Encoding and click Download Certificate Chain.
- Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on the Authentication Manager server.
- SSH to the appliance and login as rsaadmin user with the operating system password.
- Navigate to /tmp/cert and run the following commands:
rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert
Note: You will be prompted to enter a password in the last command. This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.
- Login to the primary's Authentication Manager Operations Console.
- Navigate to Deployment Configuration > Certificates > Console Certificate Management.
- Click Import certificate.
- Click Choose File and browse to the location of the console_certificate.p12 defined in step 11.
- For Type of certificate to import, choose PKCS#12 (.pfx or .p12).
- Enter the password and click Import.
- In the Operations Console navigate to Deployment Configuration > Certificates > Console Certificate Management
- Click on the newly imported certificate and select Activate. The server will restart.
Notes
If you are planning to use this process for either a Web Tier or Virtual Host Certificate, then for steps 12 and 17 above, navigate to
Deployment Configuration > Certificates > Virtual Host Certificate Management.
Related Articles
XudaInstanceOf failed to get xuda_cert_req object! result = 48 Number of Views Single quote character ' in CN breaks JavaScript code when using RSA Certificate Manager Number of Views Obtain Trace Data for ACE/Server 5.x Number of Views How to Generate SSL Certificate Request and Private Key from the RSA SecurID Access Admin Console Number of Views Program Error: 'req-authorize.xuda: Line 518: [XrcNOTFOUND] unable to locate requested member or object. Unable to sign ce… Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide
Don't see what you're looking for?
