RSA ID Plus
RSA Cloud Access Service
RSA Identity Router v12.24.x.x and later
RSA Authentication Manager v8.2 SP1 and above
After adding or changing a REST Agent connection to Authentication Manager (AM), there is a Publish Partial Failure with status "Changes were successfully published to the Cloud Authentication Service, but could not be published to the identity router(s). "
After publish, In Platform > Identity Routers, the Authentication Manager's general status will show as unhealthy (amber) and the Authentication Manager detailed Authentication status will be unhealthy (red).
Note: An Authentication Manager Notification connection is not changed by configuring the connection to Authentication Manager, so its status will not be impacted by this issue.
In Platform > Identity Routers, View Log for all IDRs will intermittently show warning events similar to the following:
WARN com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl[81] - Could not generate certificate:
java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
2026-02-25/14:03:25.821/UTC [Status-Monitor-7] WARN com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl[109] - MFA error while preparing RestTemplate - Could not generate certificate:
com.rsa.aae.am.mfa.exception.AMMFAException: Could not generate certificate:
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:82)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
... 14 more
2026-02-25/14:03:25.821/UTC [Status-Monitor-7] ERROR com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService[128] - :
com.rsa.aae.am.mfa.exception.AMMFAException: Could not generate certificate:
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:82)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
... 14 more
These errors can also be seen if you download the IDR bundle logs from any IDR. In the downloaded .zip file, the errors will be in /var/log/symplified/symplified.log.
The Cloud Access Service (CAS) requires the AM console root certificate in DER (binary-encoded) format during REST Agent configuration.
If the certificate is provided in PEM (Base64/ASCII) or any other format, Identity Routers cannot load the certificate, resulting in Publish Partial Failure due to a "Could not generate certificate" error in the IDR.
To fix the issue:
- Obtain the AM console root certificate in a DER format file. See Knowledge Base (KB) Article 000073828 - How to download the RSA Authentication Manager Console Root Certificate in DER format.
- Upload the DER format certificate file to the Cloud Administration Console as described for the REST Agent on page Configure Connection to Authentication Manager (step 3e).
- Save and publish .
If it is not practical to immediately obtain AM's console root certificate in DER format and if a TCP Agent configuration was previously used for the connection to AM, the TCP Agent connection can be reconfigured as an interim measure.
Caution: do not delete the Connection to Authentication Manager else the TCP Agent option will no longer be available and cannot be restored.
KB article 000063937 - How to export root certificates for RSA Authentication Manager, Identity Router, or Cloud Authentication Service is not a suitable method on its own to obtain the AM root certificate needed for a REST Agent Connection to Authentication Manager in CAS, because it instructs you to download the certificate in PEM format. See KB article 000073828 - How to download the RSA Authentication Manager Console Root Certificate in DER format for more information.
