Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2020-08-14
Article Number
000059360
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.x
 
Issue
Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. What this means is that when new server and client keystores are generated, they will be generated with a Subject Key Identifier (SKI) extension that is exactly 160 bits (20 Octet) in size. Prior to 7.2.0, certificates were generated with greater than 20 octets which potentially flagged Remote AFX Agents and Remote Collection Agents as security risks and blocked communication to these agents via firewalls. See related RSA Knowledge Base Article 000039238 -- Firewall is blocking Remote AFX Agents and Remote Collection Agents from communicating with the Application Server in RSA Identity Governance & Lifecycle for more information.

An example of a non RFC-compliant certificate (SKI > 20 octets) is shown below. Most octets are redacted but that is what the redaction is covering:
 
User-added image

 
Resolution
A new installation of RSA Identity Governance & Lifecycle 7.2.0 will come with already RFC-compliant certificates. If this is an upgrade from a prior version, the certificates need to be regenerated. Server and client certificates are generated through the RSA Identity Governance & Lifecycle user interface. See RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle for information on how to generate new server and client certificates. 

Note: This only needs to be done if you have Remote AFX Agents and/or Remote Collection Agents. If certificates are not regenerated, the firewall issue mentioned above will continue to occur and multiple Remote AFX Server failures may also occur. See related RSA Knowledge Base Article 000039237 -- Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle for more information.

An example of an RFC-compliant certificate (SKI restricted to 20 octets) is shown below. Although redacted, you can see the difference between this Subject Key Identifier and the one above.
 
User-added image

 
Notes
For more information on the RFC-5280 standard see the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
 

Related Articles

Trending Articles

Don't see what you're looking for?