cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Implement CA Root

Former Member

on ‎11-04-2013 4:08 PM

0 Kudos

We have a great deal of external web services which we call from SAP via HTTPS. As consumers of the service, each time their certificate expires we have to wait until the provider renews it and re-import it. If we do not do this and the certificate expires we get SSL errors.

But surely SAP supports the idea of a CA Root? In that case we would only need to manage the certificate of the CA Roots (e.g. Verisign, Thawte etc.) and all signed certificates would be trusted. Is there a guide on how to implement this?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎11-04-2013 5:59 PM
0 Kudos

The problem of expiring certificates exists regardless whether CA roots are stored in the SAP system or not. The reason being that the certificates of your providers also expire, regardless of the expiration of the CA roots. See the attached link for the only official document I'm aware of that talks about the issue, the topic being NWSSO however.

http://scn.sap.com/community/netweaver-sso/blog/2013/09/30/change-root-certificate-in-secure-login-s...

Show replies
Show replies
Former Member
‎11-05-2013 7:18 AM
0 Kudos

Thanks. The problem is still there but it is much smaller: instead of managing 20+ certificates expiring at different times (every 3 years) I can manage a handful of CA certs which expire much less often.

Former Member
‎11-05-2013 2:24 PM
0 Kudos

That's incorrect. You will have to trust also the root CAs used to sign the certificates of your providers and since they are not maintained by SAP, as you have found out, you have to manage them too. The document I linked to doesn't provide a solution, it discusses the problem.

Former Member
‎11-05-2013 3:28 PM
0 Kudos

I don't see what you mean by "incorrect". I understand and agree with everything you just wrote: we manage our CA certificates and it's easier than managing individual domain certificates. Perhaps you could explain what you mean by "providers"?

Just to be clear: we are not concerned with issuing certificates but importing certificates of domains for which we consume web services.

Jozsó
Explorer
‎11-04-2013 4:26 PM
0 Kudos

There is no special guide as the procedure is the same you are currently following. (Import the CA Root into the TrustedCAs-view.)

Show replies
Show replies
Former Member
‎11-05-2013 6:35 AM
0 Kudos

I thought it must be that easy. I assume then that I don't need to import individual certificates which are signed by the CA and these can then be deleted? I assume that NW will then download the new ones as the old ones expire much like a browser does?

Former Member
‎11-05-2013 7:19 AM
0 Kudos

We don't have a "TrustedCAs-view" in STRUSTSSO2. We have various folders named by us. Based on Samuli's link I understand we just import it and categorize it as "Root CA"?

Ask a Question