RADIUS authentication failing with certificate verify failed error in Authentication Manager 8.6 and higher
Originally Published: 2023-10-04
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6 or later
Issue
- The /opt/rsa/am/radius/securID_radius_connector.crt is expired.
- The RADIUS troubleshooting log (/opt/rsa/am/radius/radius.log) shows the following error:
rlm_perl: Exception when calling rsa_securid_mfa_call: Exception in rsa_securid_mfa_first_step_process_initialize when calling UserApi->initialize: API Exception(500): Can't connect to <FQDN of server>:60001 (certificate verify failed) Can't connect to <FQDN of server>:60001 (certificate verify failed) LWP::Protocol::https::Socket: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/lib/perl5/vendor_perl/5.18.2/LWP/Protocol/http.pm line 60. at /opt/rsa/am/radius/raddb/mods-config/perl/rsaMFA/UserApi.pm line 171.
- Alternatively, the failure message could be because there is an incorrect certificate is in the /opt/rsa/am/radius/securID_radius_connector.crt.
Cause
Resolution
If the certificates are expired
- Login to the Operations Console.
- Navigate to Deployment Configuration > Certificates > Console Certificate Management.
- Click Generate CSR to create a certificate signing request.
- Fill out the required fields and click Generate File.
- Click Download to get the .csr file.
- Submit the CSR to your Certificate Authority (CA).
- Download the CA root certificate.
- Download any other certificates that are part of that signing chain if the SSL cert does not contain the complete chain.
- Download the new SSL cert.
- From Deployment Configuration > Certificates > Console Certificate Management you will start with the root cert and perform the following steps for each cert in the signing chain:
- Click Import Certificate.
- Under Certificate Basics, do one of the following:
- For a console certificate made in response to a CSR from the Operations Console. I
- In the Import Certificate field, browse to the location where the certificate is stored. The file contains either a CA root certificate or the SSL cert form the CA.
- For Type of Certificate to Import, select PKCS #7 (*.cer or *.p7b).
- For a console cert made in response to a CSR from a certificate tool of your choice,
- In the Import Certificate field, browse to the location where the certificate is stored. The file one or more certificates and the private key for the new certificate.
- If the SSL certificate file contains the complete certificate chain up to the CA root certificate. then import the PKCS #12 file.
- In the Password field, enter the password for the PKCS #12 file.
- For a console certificate made in response to a CSR from the Operations Console. I
- Click Import.
- To activate the certificate through the Operations Console,
- Go back to Deployment Configuration > Certificates > Console Certificate Management and, under Alias, click the name of the new SSL certificate.
- From the context menu, click Activate.
- On the Activate Certificate Confirmation page, review the certificate details to ensure that this is the certificate you wish to activate.
- Select Yes, make this the active certificate and click Activate Certificate. After the cert is activated, the Authentication Manager services automatically restart to complete the activation process. This can take several minutes. After services restart, login to the Operations Console and go to Deployment Configuration > Certificates > Console Certificate Management to confirm the new certificate is being used.
If the certificates are not expired
- SSH to the primary Authentication Manager server.
- Navigate to /opt/rsa/am/radius.
- Run the command to list the certificates it contains:
more securID_radius_connector.crt
- Note the last few characters of the certificates shown.
- Check communication with the following command:
openssl s_client -showcerts localhost:60001
- Compare the last few characters of the certificates from the securID_radius_connector.crt to the last few characters of the certificates from the openssl output.
- If they do not match, make a backup of the securID_radius_connector.crt:
cp securID_radius_connector.crt securID_radius_connector.crt.old
- Open the securID_radius_connector.crt with a text editor like vi.
- Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- for the certificates listed in the openssl command.
- Paste the information between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- values in the securID_radius_connector.crt.
- Save and close the file with [ESC] :wq!
- Restart RADIUS.
cd ../radius
./rsaserv radius restart
./rsaserv radius restart
- Try the connection again.
Related Articles
URL redirect failing with RSA Authentication Manager 8.X administrative consoles Number of Views RSA Authentication Manager 8.x fails to process RADIUS authentication requests from NPS Number of Views The RADIUS attribute called "Juniper-Junosspace-Profile" does not appear in the drop-down Attribute selection Number of Views RSA Authentication Manager 8.x - Fixed Passcode is failing with Authentication method failed passcode format error Number of Views Envision: Very Few Windows Events Showing Up In Envision Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
