on 03-18-2014 10:29 AM
Hello
In my company from 1 january 2014 they want in the request of a renew of a certificate , at least one SAN that can be the same of the field CN.
In other system where we needed more SANs we created the request and gave it to the certificator giving also the names of other DNS names.
Now they want in the request itself.
i don't think in sapgenpse is possibile doing this . Pheraps with openssl but is a non-sap tool and i don't want use it by now.
I've downloaded last sapcryptolib but i didn't find a solution .
Any idea?
Thanks
Nick
Hy
there is a manner to permit a certification request in strust , giving at least one subject alternative names. Samuli took me in a good way.
we can recreate the SSL standard server:
define the hostname instead of "*" and click on 'modify'
copy the string..then at the end of it write " ; " and paste the same string. If you need you can change the hostname. In my case i leave the same because i don't need it but is only to generate the certificate without errors.
click enter and the again enter and you have the ssl standard server and send the request to your CA.
I'll do other tests for webdispatcher using sapgenpse.
Thanks
Nick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
here are some STRUST screenshots from an SSL PSE used by a SAP Web Dispatcher.
Before signature by our internal CA PKI.
After signature, you can see that we have 2 dNSNames in the Subject (Alt.) field.
Of course your CA PKI must be configured to sign certificates with SANs.
For the first time, I had to ask the CA PKI team to change their configuration for my need.
This is now a routine procedure in my company and we can have EEC6 systems artificially in the same domain as the SAP Portal and therefore avoid the "same origin policy" problems.
Best Regards,
Olivier
Hy Olivier
by now we don't need these SANs in our system , anyway to bypass the CA PKI tool we did a request as you described in the screenshots. We have the field subject(alt) empty but it doesn't matter for now.
The problem will be for systems that need these alternative names and i think CA PKI should be configured. I hope they will understand because until now no help from them.
Only to fix the problem also through sapgenpse , we did a new request to send to CA using the following options:
sapgenpse gen_pse -p SID.pse -s 2048 -r SID2048.txt -x pwd
get_pse: Distinguished name of PSE owner:CN=xxxxx.xxxxxx.xocal, OU=I00200xx148, OU=SAP Web AS, O=SAP Trust Community, SP=RM;CN=xxxxx.xxxxxxx.xocal, OU=I00200xx148, OU=SAP Web AS, O=SAP Trust Community, SP=RM
same string repeated twice , and this escamotage worked for the CA tool .
Thanks
Nickk
It might be possible with STRUST as well, it depends on your SAP version. See this discussion thread for details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok i understand and i'have that field also in my system.
not 7.31...
Owner | CN=qo1xxx.sapmi.telecomitalia.local, OU=I0020270638, OU=SAxxxxxxxxxxxxxx |
Subject (Alt.)
Issuer | CN=qo1xxxxxx.sapmi.telecomitalia.local, OU=I0020270638, OU=SAxxxxxxxxxxxxxxxx |
Serial Number (Hex.) 20:14:03:18:13:25:10xxxxxxxxxxxxxxx
Serial Number (Dec.) 9029202776106256xxxxxxxxxxxx
and the field is empty. My question is ..how can i create a certificate including also at least, one alternative names ? In this manner i can do the request to my certificator team CA.
Thanks
Nick
some screenshot when i create the SSL server standard
DN:
CN=xxxxxdb.sapmi.telecomitalia.local, OU=I0020270638, OU=SAP Web AS, O=SAP Trust Community, C=DE, SP=RM;CN=yyyyydb.sapmi.telecomitalia.local, OU=I0020270638, OU=SAP Web AS, O=SAP Trust Community, C=DE, SP=RM
in the owner i have the two CN's but Subject(Alt.) is always empty.
Something probably i don't understand in the procedure.
Thanks
Nick
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.