Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HTTPS - SSL configuration of AS Java - Browser throws warning

Former Member
0 Kudos

Hi All,

We have a EP7.0 EHP1 system in our landscape. We have enabled SSL for accessing the portal using https protocol.

It is access through the url https://<portal>.<company>.com

The Certificate for this website has 4 levels of hierarchy. As follows:

Valicert

-> RSA Application Server CA root

-> <Company> Certificate CA root

--> <portal>.<company>.com certificate

We had created CSR request and got the response from my company CA. The certificates were imported in the AS Java VA - Key storage as follows, in the order below.

1.<porta>.<company>.com certificate

2. <company> Certificate CA root certificate

3. RSA Application Server CA root certificate

4. Valicert root certificate.

This was imported into the Private key generated for <portal>.<company>.com.

Though all browsers have the VAlicert CA root certificate, still when end users access this website, they get a warning stating that the Issuing Sytsem is not trusted. and recommends nto to proceed to the website.

When we try see the certificate, we see only <portal>.<company>.com and the RSA Applicaiton CA and <company> Certificate CA are not present with hierarchy.

This warning does not come,if we send the <company> Certificate CA root certificate separately to the end user and ask them to import it into the system.

I have the following quesitons.

1. SHould the AS JAVA engine be able to send the entire hierarchy of certifcates to the Client browser? we are seeing only the last <portal>.<company>.com certificate when we go into detail of the warning.

2. As end users are unable to import even this certificate, how do we rectify the situation? Are we missing some setup?

I apologize if the explanation is not very clear. I am new to ssl concept and the entire flow is a little confusing for me.

Please provide your guidance on this.

Thanks and Regards,

Raghavan

1 ACCEPTED SOLUTION

martin_voros
Active Contributor
0 Kudos

Hi,

AS does not provide complete chain of certificates. This would be a serious security issue. AS does not even need to have root certificate imported in PSE. AS just says here is my certificate. The client needs to verify this certificate. In your case the client does not know where to get intermediate certificates. So you need to import company certificate into Intermediate Certification Authorities in IE.

Cheers

6 REPLIES 6

martin_voros
Active Contributor
0 Kudos

Hi,

AS does not provide complete chain of certificates. This would be a serious security issue. AS does not even need to have root certificate imported in PSE. AS just says here is my certificate. The client needs to verify this certificate. In your case the client does not know where to get intermediate certificates. So you need to import company certificate into Intermediate Certification Authorities in IE.

Cheers

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Hi,

>

> AS does not provide complete chain of certificates. This would be a serious security issue. AS does not even need to have root certificate imported in PSE. AS just says here is my certificate. The client needs to verify this certificate. In your case the client does not know where to get intermediate certificates. So you need to import company certificate into Intermediate Certification Authorities in IE.

>

> Cheers

Sorry, but I do not agree with that statement.

The SSL server is allowed to send the entire chain of certificates and the SSL client might use that information - except of the root certificate (trust anchor).

0 Kudos

>

> Sorry, but I do not agree with that statement.

> The SSL server is allowed to send the entire chain of certificates and the SSL client might use that information - except of the root certificate (trust anchor).

Yes, you are right. It's my fault. Thanks for correcting me. It's clearly written in RFC 5246.

Cheers

0 Kudos

Hi Voros and Paul,

Thanks for your valuable insights into the SSL process. This clears the fact that the AS Java must send the certificate chain to the client.

In my case, this chain is not seen in client. It only shows the end certifcate for the website. <name>.<company>.com.

The 3 levels of certificates till Valicert root is not seen.

Have we missed something when setting up SSL? We imported the chain in the order as recommended in the SAP Note for Verisign CA. We had to adopt that because there was no data on Valicert CA Chains.

I would be very helpful if you can share your ideas on why this issue is coming up in AS Java.

Thanks and Regards,

Raghavan

Former Member
0 Kudos

Hi Guys,

Our problem still continues but the root is our company root which ideally all users must install in local desktop. if done so, the error does not come up.

REgards,

Raghavan

0 Kudos

Hi,

how did you imported all certificates from chain? Take a look at note 694290. It describes how to create a new chain for certificate issued by CA. It might help you to create a chain for your certificate as well.

Cheers