Hello,

I've been searching for hours on end on this issue, and have not yet come accross a clear explanation on how to do it, or how to solve it.

When configuring HTTPS for ICM I'm having an issue with certificates signed by our internal Certificate authority.

When I create a default (unsigned) certificate, the links work correctly, and we receive a certificate exception (which is normal). Now, to avoid this exception, we would like to have it signed using our internal CA. The pages being vewed are for internal use only, which is why we do not want to pay for a certificate.

When using the signed certificate and going to the same HTTPS link as before, the web page no longer works (I think it's due to the wrong CN in the certificate).

I gather this is due to having a wrong FQDN (in the CN), but I'm unsure on how to change this.

This is what I do.

In STRUST, I generate a ticket (SSL Server Standard -> Create)

I fill in the requirements (so for CN --> *.domainname.extension) and then generate the certiicate (so CN now has hostname.domainname.extension).

When I use https (port 443), everything works. I receive the "Certificate not trusted" warning.

However, we want to get rid of this warning, which is why we're signing the certificate using the Microsoft Certificate Server.

This is how I do it:

In STRUST I click on the certificate and choose "Generate certificate request"

I then log onto the certificate server with user SAPService<SID> (I'm not even sure if I'm supposed to login with that user ID, but it seems logical to me).

I then goto:

- Request a certificate (--> Next)

- Advanced Request (--> Next)

- Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file (--> Next)

- Paste my certificate request into the text box provided (--> Sumit)

I'm then presented with a certificate response file (choose base64 -> save onto Desktop -> Open certificate with notepad, copy the certificate response).

go back to SAP system --> STRUST

Then i click on "Import Cert. Response" and paste the response code into the textbox.

NOW... the 'normal' certificate changes (CN and everything changes --> CN is now the FQDN of the certificate server.. oddly enough).

Now, after restarting ICM, I try the HTTPS url again.. and I cannot even connect to the page anymore (hostname not known).. which is probably because of the wrong CN hostname in the certificate in STRUST.

I'm a bit baffled here.. I'm not sure how to change this CN= stuff. And I'm not even sure why the certificate response is actually changing my certificate.

Any help would be appreciated.

Also, the ICM logs don't really show me any useful information (I'm on trace level 3).

Thanks in advance.

Kind regards,

Ryan.