Hello All,

To expand my query, I just want to confirm my understanding-

to create an key and certificate signer request is it complusory to use open SSL?

If not is it fine If I create these by using NWA of PI system?

I will use following procedure -

1.create an key entry in the view using the required details.

2.I will create certificate signer request for that key.

3.I will send this key to third party to get it signed.

4.When I receive the response (x.509 certificate) I need to import that certificate? Or do I need to import it as certificate signer resquest response?

Hi Rahul.

of course you can use the Netweaver Keystore using the following procedure

(so no need for openSSL)

1. create a key (and certificate)

2. create the "CSR"

3. send the "CSR" (not the key) to the one to sign it (authority)

4. Import back the "CSR" into your keystore

Now you have a key with a signed certificate and can also export the signed certificate from this key...to provide it to your partners

The Private Key should NEVER be sent out to anyone...

You can also check with this thread

http://scn.sap.com/message/14295273#14295273

...and see the answers at the end.

Kind Regards

Stefan

Hello Stefan,

So I need to send the CSR by using the certificate and not by key right?(I mean from which entry key or certificate I should generate CSR)

I mean should I select the store certificate option and then by selecting this entry for certificate, I need to create CSR?

After that this CSR will be send to authority and then they will rerurn me the response of CSR and that I need to import in NWA. (importing must be done by seleceting key or certificate?)

Thanks in advance.

Hello Stefan,

I have again checked and can see that the CSR can be only created using the Key entry.

So why we need the certificate to be stored?

In a lot of cases you can also use a "self-signed" certificate...which is the one that is stored during the key-creation.

Kind Regards

Stefan

Hello Stefen,

Actually my requirement is that we will get the certificate signed by third party, so I want to know that do I need to also select store certificate while creating a key and then I need to send the CSR to sign to the third party?

Please confirm the below steps that I need to follow and suggest if the changes are required.

1. Create key (with or without certificate?)

2. Generate CSR from that key.

3. Send this CSR to third party for signing.

4. they will send me the response and then I need to import it into my NWA.

My question is that in the already developed interface I can see one private key that is signed by third party. So how to achieve this using NWA.

thanks in advance.

Hello,

1. Create key (with or without certificate?)
2. Generate CSR from that key.
3. Send this CSR to third party for signing.
4. they will send me the response and then I need to import it into my NWA.

These steps are correct. (and it doesn´t matter in your case if you store the certificate during key-creation since you can always export the certificate from the key)

After step 4 you will be able to export a "signed certificate" from this key.

Kind Regards

Stefan

Hello Stefan,

Thanks for the reply, but  I think I need to use this signed certificate in my PI system as I am using the token lookup where I will look for this signed certificate in the PI system.Thanks again for the help, just a few questions more to clear my doubt.

As I can see from my available Key, the look up is hapening on key itself, I mean the key is signed by the third party and you can see it below

Here Subject name are my details and Issuer name are third party details.

and even as you can see that the entry is showing as PRIVATE KEY.

So Suppose I follow our procedure discussed above, I will have a signed certificate and not the key.

Please let me know your thoughts?

Hi,

Here Subject name are my details and Issuer name are third party details.
and even as you can see that the entry is showing as PRIVATE KEY.

=> in the screenshot, you can see that the lines "subject name" / "issuer name" are below the line that reads "Certificate"

...so these are attributes of the X.509 - certificate that is contained in your Private-Key....and whenever you export a 509-certificate from this private-key (to provide to your business partners) thsi will be a "signed certificate"

=============================

For additional explanation, I have cust created a PrivateKey in my Keystore...and here you can see that after the line certificate, the Subject name and the Issuer name are the same, since this certificate is not signed by any 3rd party (no CSR has been exported and reimported)

And if you look at the certificate entry (that was stored with the option "store certificate") you can see that it has exactly the same content as you can see in the Private key (under the line certificate)

Here you an also see, that it doesn´t matter if you select "store certificate" as the certificate is anyway stored inside the ProvateKey-entry and can be exported from there anytime...

I hope that this clarifies now everything

Kidn Regards

Stefan