1. SSH to the RSA Authentication Manager server.
2. Login as the  rsaadmin user with the operating system password created during setup.
3. Create a new directory named /tmp/cert: 

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Feb 21 22:47:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> mkdir /tmp/cert

4. Navigate to the new directory:

rsaadmin@am82p:~> cd /tmp/cert

5. Create a new configuration file named openssl_san.cnf.
6. Using the text below as a template, cut and paste the text into the new openssl_san.cnf. 
7. Save the file when done.

Make sure you enter the exact Authentication Manager server/virtual host server FQDN in the line for commonName and for DNS.1, otherwise this procedure will not work

rsaadmin@am82p:/tmp/cert> vi openssl_san.cnf 
[ req ] 
default_bits = 4096 
prompt = no 
encrypt_key = no 
default_md = sha256 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 
[ req_distinguished_name ] 
countryName = Country Name (2 letter code) 
stateOrProvinceName = State or Province Name (full name) 
localityName = Locality Name (eg, city) 
organizationName = Organization Name (eg, company) 
commonName = Common Name (e.g. server FQDN) 
[ v3_req ] 
# Extensions to add to a certificate request 
basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
subjectAltName = @alt_names 
[alt_names] DNS.1 = server FQDN 
DNS.2 = example1.com 
DNS.3 = example2.com 
~ 
~ 
~ 
:wq!

8. Use the following command to generate the CSR and private key.  

rsaadmin@am82p:/tmp/cert> openssl req -nodes -newkey 2048 -nodes -keyout private.key -out csr.csr -config openssl_san.cnf

9. Use a file transfer tool such as WinSCP or FileZilla to retrieve the csr.csr file from /tmp/cert.
10. Sign the CSR from your CA and download the full certificate chain (.p7b)

• The following example is for when your CA is a Windows Server Domain Controller:
  1. In your web browser address bar, type the IP address of the server where the Certificate Authority is installed, followed by /certsrv. For example: http://10.0.2.80/certsrv
  2. Click the Request a Certificate link.
  3. Click the Advanced certificate request link.
  4. Click Submit a certificate.
  5. Paste the contents of your CSR file into the Saved Request text box.
  6. From the Certificate Template drop-down list, select Web Server.
  7. Click Submit.
  8. Choose DER Encoding and click Download Certificate Chain.

8. Use a file transfer tool to copy the full certificate chain (certnew.p7b) to /tmp/cert on  the Authentication Manager server.
9. SSH to the appliance and login as rsaadmin user with the operating system password.
10. Navigate to /tmp/cert and run the following commands: 

    
    rsaadmin@am82p:/tmp/cert> openssl pkcs7 -in certnew.p7b -inform DER -out result.pem -print_certs
    rsaadmin@am82p:/tmp/cert> openssl pkcs12 -export -inkey private.key -in result.pem -out console_certificate.p12 -descert

Note: You will be prompted to enter a password in the last command.  This password is used when importing the console_certificate.p12 through the Authentication Manager Operations Console.

11. Login to the primary's Authentication Manager Operations Console.
12. Navigate to Deployment Configuration > Certificates > Console Certificate Management.
13. Click Import certificate.
14. Click Choose File and browse to  the location of the console_certificate.p12 defined in  step 11.
15. For Type of certificate to import, choose PKCS#12 (.pfx or .p12). 
16. Enter the password and click Import.
17. In the Operations Console navigate to Deployment Configuration > Certificates > Console Certificate Management
18. Click on the newly imported certificate and select Activate.  The server will restart.