Solved: Create certificate with Signature Algorithm "SHA1"

Former Member · ‎08-15-2013

Dear experts,

When i create a private key from the Netweaver Administrator of our SAP PI 7.11 SP1 environment, this private key contains Signature Algorithm : md5WithRSAEncryption.

Our service provider, which will sign our Certificate Signing Request (PKCS#10), expects a "SHA-1 With RSA encryption".

I saw that our NW7.31 SP8 Portal system already creates a certificate with the Signature Algorithm : sha1withrsaencryption.

What will effecting the Signature Algorithm? Is this the version of the Cryptolib or the release of the Netweaver version (NW7.11 / NW7.31)? What can we do to get the "sha1withrsaencryption" Signature Algorithm in our NW7.11 system?

Thanks for your help!

Best regards,

Joost Weghorst

mvoros · ‎08-16-2013

Hi,

Java crypto provider needs to support this combination of algorithms. I would say that provider in 7.1 supports this but documentation does not say anything about changing hash algorithm. I don't have access to 7.1 at this moment. You can always try to create request outside of the system and then import signed cert returned from CA plus private key. Just use correct host name when generating new pair of keys.

Cheers

mvoros · ‎08-16-2013

Hi,

Java crypto provider needs to support this combination of algorithms. I would say that provider in 7.1 supports this but documentation does not say anything about changing hash algorithm. I don't have access to 7.1 at this moment. You can always try to create request outside of the system and then import signed cert returned from CA plus private key. Just use correct host name when generating new pair of keys.

Cheers

Former Member · ‎08-19-2013

Yes, creating the request on a other (NW7.31 release) system is a good work-around
we already tried. After importing the signed certificate in the target system
(NW7.11 release) the connection works.

Only for a long-term solution, we also want to create the right certificates on the
target system itself.

So i hope someone knows the answer to what we should upgrade to get this funcationality.

Best regards,

Joost

mvoros · ‎08-20-2013

Hi Joost,

this is a long shot but it may be useful for you. I disassembled jar that implements keystore for Java AS. You can find Jave code there like

if (signKey.getAlgorithm().equals("DSA"))

algorithmID = AlgorithmID.dsaWithSHA;

else if (signKey.getAlgorithm().equals("DH"))

algorithmID = AlgorithmID.dhKeyAgreement;

else {

algorithmID = AlgorithmID.sha1WithRSAEncryption;

}

So it seems to me that it has a hard coded algorithm that is used for hashing. This is from 7.31 system. I don't have access to 7.11 to check if has hard coded md5 instead of sha1. But it looks to me that there is no option how to control this. Hence the only way how to switch to sha1 seems to be upgrade of Java AS.

Cheers

Former Member · ‎08-20-2013

Another option is to use the external tool sapgenpse that is provided with the SAP Cryptographic Library to generate the keys/certificates. In NWA you can import externally generated keys/certificates. Use -a sha1WithRsaEncryption with sapgenpse.

Former Member · ‎10-16-2013

I guess this functionality is delivered in another Netweaver version or SPS release.

Creating the certificate in another (compatible) system and import it back is a good work-arround.

former_member228357 · ‎11-20-2015

Hello!

I guess this is something about parameters on RZ10:

ssl/ssl_lib /usr/sap/<ID>/SYS/exe/sso/libsapcrypto.o

sec/libsapsecu /usr/sap/<ID>/SYS/exe/sso/libsapcrypto.o

ssf/ssfapi_lib

Try to look for sap notes:

510007 - Setting up SSL on Application Server ABAP and 455033 - SAPCRYPTOLIB versions, bugs and fixes

I hope it could help someone.

best regards

Denner Andrade