cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sapgenpse SANs

Go to solution
nicola_blasi
Active Participant

on ‎03-18-2014 10:29 AM

0 Kudos

Hello

In my company from 1 january 2014 they want  in the request of a renew of a certificate , at least one SAN that can be the same of the field CN.

In other system where we needed more SANs we created the request and gave it to the certificator giving also the names of other DNS names.

Now they want in the request itself.

i don't think in sapgenpse is possibile doing this . Pheraps with openssl but is a non-sap tool and i don't want use it by now.

I've downloaded last sapcryptolib but i didn't find a solution .

Any idea?

Thanks

Nick

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nicola_blasi
Active Participant
‎03-21-2014 11:38 AM
0 Kudos

Hy

there is a manner to permit a certification request in strust , giving at least one subject alternative names. Samuli took me in a good way.

we can recreate the SSL standard server:

define the hostname instead of "*" and click on 'modify'

copy the string..then at the end of it write  " ; " and paste the same string. If you need you can change the hostname. In my case i leave the same because i don't need it but is only to generate the certificate without errors.

click enter and the again enter and you have the ssl standard server and send the request to your CA.

I'll do other tests for webdispatcher using sapgenpse.

Thanks

Nick

Show replies
Show replies
Former Member
‎03-21-2014 1:47 PM
0 Kudos

Hello,

here are some STRUST screenshots from an SSL PSE used by a SAP Web Dispatcher.

Before signature by our internal CA PKI.

After signature, you can see that we have 2 dNSNames in the Subject (Alt.) field.

Of course your CA PKI must be configured to sign certificates with SANs.

For the first time, I had to ask the CA PKI team  to change their configuration for my need.

This is now a routine procedure in my company and we can have EEC6 systems artificially in the same domain as the SAP Portal and therefore avoid the "same origin policy" problems.

Best Regards,

Olivier

nicola_blasi
Active Participant
‎03-21-2014 2:14 PM
0 Kudos

Hy Olivier

by now we don't need these SANs in our system , anyway to bypass the CA PKI tool we did a request as you described in the screenshots. We have the field subject(alt) empty but it doesn't matter for now.

The problem will be for systems that need these alternative names and i think CA PKI should be configured. I hope they will understand because until now no help from them.

Only to fix the problem also through sapgenpse , we did a new request to send to CA  using the following options:

sapgenpse gen_pse -p SID.pse -s 2048 -r SID2048.txt -x pwd

get_pse: Distinguished name of PSE owner:CN=xxxxx.xxxxxx.xocal, OU=I00200xx148, OU=SAP Web AS, O=SAP Trust Community, SP=RM;CN=xxxxx.xxxxxxx.xocal, OU=I00200xx148, OU=SAP Web AS, O=SAP Trust Community, SP=RM

same string repeated twice , and this escamotage worked for the CA tool .

Thanks

Nickk

Answers (1)

Answers (1)

Former Member
‎03-18-2014 8:02 PM
0 Kudos

It might be possible with STRUST as well, it depends on your SAP version. See this discussion thread for details.

Show replies
Show replies
nicola_blasi
Active Participant
‎03-19-2014 9:37 AM
0 Kudos

Thanks Samuli

i've read the thread...and i have last cryptolib and a 7.20 kernel.

Anyway in strust when i try to create the certificate..i don't find anything regarding SubjectAltNames.

Do you have a screenshot to show me where i should find it?

Thanks

Nick

Former Member
‎03-19-2014 1:14 PM
0 Kudos

I believe it's SAP_BASIS that determines if you have Subject (Alt) field in STRUST or not. The field is between the Owner and the Issuer fields. I see it at least in NW731 SPS04.

nicola_blasi
Active Participant
‎03-19-2014 1:33 PM
0 Kudos

Ok i understand and i'have that field also in my system.

not 7.31...

Owner            CN=qo1xxx.sapmi.telecomitalia.local, OU=I0020270638, OU=SAxxxxxxxxxxxxxx

Subject (Alt.)

Issuer           CN=qo1xxxxxx.sapmi.telecomitalia.local, OU=I0020270638, OU=SAxxxxxxxxxxxxxxxx

Serial Number (Hex.) 20:14:03:18:13:25:10xxxxxxxxxxxxxxx

Serial Number (Dec.) 9029202776106256xxxxxxxxxxxx

and the field is empty.  My question is ..how can i create a certificate including also at least, one alternative names ? In this manner i can do the request to my certificator team CA.

Thanks

Nick

Former Member
‎03-19-2014 3:39 PM
0 Kudos

As Olivier wrote in the other discussion thread simply enter both DNs in the Subject (Alt.) field separated by a semi colon:

Subject (Alt.) -> CN=qo1xxx.sapmi.telecomitalia.local, OU=I0020270638, OU=SAxxxxxxxxxxxxxx;CN=qo1yyy.sapmi.telecomitalia.local, OU=I0020270638, OU=SAyyyyyyyyyyyyyy

nicola_blasi
Active Participant
‎03-19-2014 4:23 PM
0 Kudos

some screenshot when i create the SSL server standard

DN:

CN=xxxxxdb.sapmi.telecomitalia.local, OU=I0020270638, OU=SAP Web AS, O=SAP Trust Community, C=DE, SP=RM;CN=yyyyydb.sapmi.telecomitalia.local, OU=I0020270638, OU=SAP Web AS, O=SAP Trust Community, C=DE, SP=RM

in the owner i have the two CN's but Subject(Alt.) is always empty.

Something probably i don't understand in the procedure.

Thanks

Nick

Former Member
‎03-19-2014 5:31 PM
0 Kudos

No idea, it's not obvious to me either. You could ask Olivier since he has done it.

Ask a Question