Solved: Enabling SSL - Certificate Chain

sid-desh · ‎12-13-2006

Hi,

I have been trying to enable SSL on J2EE engine and face the following issue. I created key pair and public key certificate in service_ssl view. I then generated a CSR. For testing purpose i used <a href="https://www.thawte.com/ucgi/gothawte.cgi?a=w44700158187049000">this</a> link to get the request signed. I then imported the response and also made the required settings in the SSL provider service. However while using the URL https://<server>:<sslport>; i am getting a certificate error which states that certificate cannot be verified up to a trusted authority.

I read a little and realised that i need to download the Test Root CA certificates. They have been provided at the link given above. However now i am not sure how and where to load this certificate.

At places it has been mentioned that i need to install the root certificate in the client. However my understanding was that i can present a chain of certificates (Root + my own signed cert) from my server to the browser. Also i was under the impression that the browser will first check the certificate chain presented by the server. if the certificate cannot be verified it will then check in its own set of stored certificates. Is my understanding totally wrong.

Please do advice as there i could not find any documentation in help.sap.com regarding this.

Thanks and Regards

Sidharth

WolfgangJanzen · ‎12-13-2006

Well, in general the SSL client can evaluate the certificate chain provided by the SSL server - except the root certificate (which need to be present at the SSL client). To ensure that intermediate CA certificates can be updated centrally (at the SSL server side) usually the SSL client will give priority to the received certificates rather then using the ones stored locally. Most CAs have contracts with vendors of the browsers (SSL clients) as well as with the vendors of the (web) servers / application servers to ensure that updated (root and intermediate) certificates are shipped with those products.

Regards, Wolfgang

yonko_yonchev · ‎12-13-2006

Hi Sidharth,

The documentation is here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/db/1f1740198d8f5ce10000000a155106/frameset.htm

Placing the certificate in the TrustedCAs Keystore view should fix the issue.

Regards,

Yonko

sid-desh · ‎12-13-2006

Hi Yonko,

I thought that TrustedCA's view is used when the J2EE Engine validates the incoming the client certificates.

For the certificates being sent by J2EE engine also is TrustedCA's view used to send the root CA certificate?

Regards

Sidharth

sid-desh · ‎12-13-2006

Hi Yonko,

I tried to place the CA Root Cert in the Trusted CA's view. It still does not work.

Regards

Sidharth

yonko_yonchev · ‎12-13-2006

Hi,

You were right: the TrustedCAs will be used when the AS Java is the client side in the SSL handshake. Try placing the CA certificate in the service_ssl view of the server. If it still doesn't work then you have to import the CA's certificate in your browser client.

In IE the CA certificate should go in the tab that appears under this browser menu Tools > Options > Privacy > Certificates > Trusted Root certification authorities.

Regards,

Yonko

WolfgangJanzen · ‎12-13-2006

Well, in general the SSL client can evaluate the certificate chain provided by the SSL server - except the root certificate (which need to be present at the SSL client). To ensure that intermediate CA certificates can be updated centrally (at the SSL server side) usually the SSL client will give priority to the received certificates rather then using the ones stored locally. Most CAs have contracts with vendors of the browsers (SSL clients) as well as with the vendors of the (web) servers / application servers to ensure that updated (root and intermediate) certificates are shipped with those products.

Regards, Wolfgang

sid-desh · ‎12-13-2006

Hello Wolfgang,

Thank you for your response. My question is exactly as you have mentioned. if i treat the Root CA certificate as an intermediate certificate how and where (Key Storage view) should i install it.

For Test CA certificates most of the root CA certificates will not be installed in the SSL client. This is my opinion.

Hence i am trying to find a way for this.

Thanks and Regards

Sidharth Deshpande

Former Member · ‎12-14-2006

Hi Sidharth,

you can not treat a root CA certificate as an intermediate one, as it is self signed only (contrary to an intermediate which is signed by an uplevel CA). The root CA certificate has to be present on the other end of the connection prior establishing the connection. Otherwise you will not able to connect, as the SSL handshake will fail.

You are right, that for test CAs, the certs are not preinstalled, that is even on purpose, as test CA certificates are not trusted. Installing a certificate means establishing trust. If it would work as you meant, everyone could mimic a trusted SSL conection by just sending some CA certificate of a CA he created. Not a very secure scenario

If you want to have the certs being preinstalled on the remote end, you either have to use a full certificate from a trusted CA or you have to install your test CA cert on the remote end.

regards,

Patrick

sid-desh · ‎12-14-2006

Hi Patrick,

This comment is very much the answer i was looking for. Thank you very much.

Just one last thing. Where do we have to install the Intermediate CA certificates. they have to be installed on server. Am i right. In which view do i install these if they are delivered separately by the CA.

Thanks and Regards

Sidharth

former_member84399 · ‎05-08-2007

Sidharth,

Did you finally get an answer on this? I have a similar issue and I would be very much interested to know where you have to install the intermediate and root CA certificates

Regards

Andreas

WolfgangJanzen · ‎05-08-2007

See my previous posting (by scrolling up the screen):

the root CA certificate needs to be present at the SSL client - if the SSL client is the browser you need to obtain the root CA certificate from a reliable source and install it to your browser's keystore (for IE: double-click on the certificate file and you'll be asked whether the certificate should be added to the root certificate keystore).

Best regards, Wolfgang

PS: as for the "SSL Test Server Certificates" (which can be obtained from <a href="http://service.sap.com/ssltest">http://service.sap.com/ssltest</a>): the root CA certificates can be downloaded from <a href="https://tcs.mysap.com/invoke/tc/getCert?SAPServerCA.der">https://tcs.mysap.com/invoke/tc/getCert?SAPServerCA.der</a>

Message was edited by:

Wolfgang Janzen

former_member84399 · ‎05-08-2007

Wolfgang, thanks

At least I am clear with the root CA certificate now that it has to installed in the browser. Together with the root CA certificate, I received two more certificates from Verisign, the Intermediate one and the response to my CSR request: I imported the response to my CSR request in Visual Admin , Keystorage Service, View "Service SSL" by selecting the private key entry and then clicking on "Import CSR response". How am I supposed to install the Intermediate Certificate?

Many thanks

Andreas

WolfgangJanzen · ‎05-08-2007

Well, for VeriSign certificates the case is different:

- you do not have to install the root CA certificate to the browser (since Microsoft is already shipping it, thanks to a special agreement with VeriSign - and other major Certification Authorities)

- you need to install the intermediate CA certificate either on the server or on the client side (I'd recommend to install it on the server side)

Well, if both (your SSL server certificate as well as the intermediate CA certificate) are base64-encoded you can simply concatenate both (ASCII) files into one single (ASCII) file and feed the result as "certificate response" to the Visual Admin. That's at least the way it works for the ABAP server (transaction STRUST), see <a href="https://service.sap.com/sap/support/notes/518185">SAP Note 518185</a>, section 4.

Cheers, Wolfgang

PS: <a href="https://service.sap.com/sap/support/notes/508307">SAP Note 508307</a> is describing the same procedure

Former Member · ‎05-10-2007

It is not necessary to store intermediate certificates. They will be exchanged automatically during the SSL handshake. Just make sure that the root certificate is installed as a trusted certificates in all participating clients and servers.

WolfgangJanzen · ‎05-10-2007

Well, one of them have to store them (intermediate certificates).

I agree: they need not to be present at the SSL client (i.e. the browser, in most cases); but then they need to be stored at the SSL server (which will send them along during the SSL handshake - that I agree).

But for the root certificate it's different: that one needs to be present at the SSL client. It must not be accepted if (only) send along by the SSL server (even if the SSL server does so) - for obvious security reasons.