on 07-30-2009 6:26 PM
We have installed a WebDispatcher and want to use SSL and executed the following steps:
1. Generate Self-Signed Certificate and CSR by:
sapgenpse get_pse -p SAPSSLS.pse -r SAPSSL.req "CN=emsd3c.cs-apps.carestreamhealth.com, OU=IT, O=Carestream Health, C=US"
2. User service.sap.com/trust SSL Test Server Certifcated service to signed the CSR which looks like
-
BEGIN CERTIFICATE-----
MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUNhcmVzdHJlYW0g
SGVhbHRoMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjZW1zZDNjLmNzLWFwcHMuY2Fy
ZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP+w
TmRWeRlt1tg5GnjMloRhezO6lRJ1mhgNcWGQTECtAXDVypnznTFhimj3OG1zgW
gItJ1u4GjvQuYR2w2T92UrV3mnORrlHfpYOBCngRwQWfSaG7Ih5g3NeQ4bAq60Ap
0BwVg9hTpjZfTXfqYQHyzYPk6Pv9c+l0m3Va/DMfAgMBAAGgADANBgkqhkiG9w0B
AQUFAAOBgQBw6ipAyPUor96WGIOu93v7jjxE0uLuCMkfjaHnuqpYaOWM7z6XQn
2jWMwEKG4vsvU1X5azUuqA1yidH5+GXTD0VCbXUqLWZEP6S2FMJXixv/e3QELYrT
qBee2JDYPAdoMkKX/cwshFwXXo41R/gjEwn6aBDg9jkA70xFZEOjTQ==
-
BEGIN CERTIFICATE-----
The certificated signed by SAP looks like and I have created a file called d3c_test.cer to contain it:
-
BEGIN CERTIFICATE-----
MIIC5zCCAlCgAwIBAgIDANTZMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQ8wDQYDVQQLEwZTZXJ2ZXIx
EjAQBgNVBAMTCVNlcnZlciBDQTAeFw0wOTA3MjkxNzM4NDVaFw0wOTA5MjcxNzM4
NDVaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0
eTEYMBYGA1UECxMPQ2FyZXN0cmVhbUhlYXRoMQswCQYDVQQLEwJJVDEsMCoGA1UE
AxMjZW1zZDNjLmNzLWFwcHMuY2FyZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPjouDXa5nj8UQN77E53KCn1Xv2mI4uQMwz2cv
2YLL0086PfLzv+GZgMNsykmFzCAw2Nq2PthvhRhIUSZmCWgF36vN3GnwYPhc3flw
bvYGkeyFvJ3i3I0xiZTwVdvNDnd/GmLH6VCqCEbIwPXEJJamWop6SumaHl7h5KgV
aaqPAgMBAAGjgZ0wgZowDAYDVR0TAQH/BAIwADAlBgNVHRIEHjAchhpodHRwOi8v
c2VydmljZS5zYXAuY29tL1RDUzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8B
Af8EBAMCBPAwHQYDVR0OBBYEFHBRAASwukLlThOY+NbGKycJGjjIMB8GA1UdIwQY
MBaAFIHbg/NK+zUYCLkBvbcdW51zNVtJMA0GCSqGSIb3DQEBBQUAA4GBAIxe9gRz
7UdawNwiIyKo2jvg6P0VnvPRMiyfMJdtbaTarinJmgP2yghMGKx84twvEds9GV42
xUXbX/AHdgI3ef8N/WXvs15Hi4GnMdb/d7zhz3DAcjajbr7xmFycFFqRSwJ68Kb0
JF2cZLtwh9G0dJZMbT5ihJ61mCVMXvIbH27s
-
END CERTIFICATE-----
3. Execute the following commend to import SAP's response (d3c_test.cer)
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Receive the following error:
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Please enter PIN: ****
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
Any help will be appreciated.
Thanks
Rivers
Hi.
I did the same with genpse. I included the -x option. That means the PIN that protects the PSE.
Didn't you entered a pin when creating the request file?
Maybe you'll find something here:
[http://help.sap.com/saphelp_nw70ehp1/helpdata/en/80/d753d7a8a96a4297335e2211a87ac0/frameset.htm]
regards,
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I understand that this is an old thread...
For those who face a similar issue - here is the resolution that worked for us:
sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>
The root certificate of our CA was not part of the certificate response. So, we had to use the "-r" option and provide the RootCA_cert_file
Hope this helps.
Sri Garimella
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sri Garimella,
As you have mentioned above to donwload root certificate also & giv the command as
sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>.
Could you please help me from where can i get the RootCA_cert_file ?
In service market place I am unable to find RootCA_cert_file.
Could you please elloborate the issue ?
Regards
Hari
Hi,
Your signed certificate is not valid because it is obsolete : valid from July 29th 2009 until September 27th 2009.
It is also missing the Certification authorities path.
You need to download the SAP CA certificates and include them.
I personnally use transaction STRUST to manage certificates because I find it much more user friendly than the command line utility sapgenpse.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.