Solved

RSA : Self Signed SSL Server Certificate expired

Posted on 2014-02-14
2
1,762 Views
Last Modified: 2014-02-28
Hi Experts,

I looked around in the RSA Operations Console and found that a SSL Certificate was expired from two weeks. The RSA service is still running but I can't find that expired certificate nor on the RSA hosting Server (2003 R2 x86) nor on the DC (SBS 2011) to renew it. I used the certutil command and looked up in the Certification Authority of SBS 2011. The SBS 2011 Server has a GoDaddy certificate which include SERVER1.dmn.local name. Could I bind this one to RSA ? If so, how do I have to proceed please ?

Certificate: server1
       Help on this pageTopics... Skip Topics...
SSL Certificates for Identity Sources
Add an Identity Source SSL Certificate
Edit Identity Source SSL Certificates
 
  View Certificate  

View the details of this SSL certificate.

 
   Required field  
Certificate Basics  
 Certificate Name: The certificate name must be a unique identifier from 1 to 255 characters.  server1
 Notes:  You may enter up to 255 characters of text. server1
 
Certificate Details  
 Version:    3
 Serial Number:    45***********************75
 Signature Algorithm:    SHA1withRSA
 Issuer:    CN=dmn-SERVER1-CA
 Valid From:    Jan 25, 2013 1:12:56 PM CET
 Valid To:    Jan 25, 2014 1:12:56 PM CET
 Subject:    CN=SERVER1.dmn.local
 Public Key:    Sun RSA public key, 2048 bits modulus:  ************************************************************************************************************************************************

If RSA still works well, what is this certificate for ?


Thank you in advance for your help, best regards,


PS : By the way, if someone know a good and crystal clear explicit course about certificates on Windows Server...
0
Comment
Question by:jet-info
2 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39860947
Look within the service/computer stores.  The certificate may have been used initially as test while the real/functional certificate was being acquired.

Based on the information it is not a self-signed CA.  The certificate was issued by an Internal CA (Issuer: dmn-SERVER1-CA). Check your CA and see what the purpose for this certificate.

self-signed means that NO CA was involved.
i.e. IIS self signed certificate as an example.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39860960
Probably you should catch first the 172 to 177 to see if it helps. There is a long life SSL signed cert by internal RSA CA and unique in each deployment. Also note the specific in pg 173 on the use of 3rd party cert and the requirement for importing cert and the replacement of the expired cert.

http://www.emc.com/collateral/15-min-guide/h12276-am8-administrators-guide.pdf

I suspect there is couple of cert and we need to activate the SSL cert in the server so that it is the actual one running live. The replacement of the active console cert has to be done before it expired else when the console cert expired, you (rightfully) should not be able to start the Auth server after it is stopped. There is RSA tool in the pdf stated to help to perform manual replacement and restart service again.

Best to have support confirm if not sure since this is specific to RSA product
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question