- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Problems in NW 7.02 in STRUST Importing Verisign C...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Problems in NW 7.02 in STRUST Importing Verisign Cert Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 8:42 PM
I generated a new Client certificate and sent it to Verisign via our enterprise group and I have received a Verisign certificate. When I attempt to "Import Certificate Response", I get the following error (Long text):
Issuer certificate missing in database:CN=Symantec Class 3 Secure Server CA - G4, OU=Syma
Message no. TRUST057
Diagnosis
The following issuer certificate is missing from the database or is marked as inactive: CN=Symantec Class 3 Secure Server CA - G4, OU=Syma
Procedure
Store the issuer certificate in the database (menu function Certificate -> Export -> Database) and make sure that the certificate is not marked as inactive (menu function Certificate -> Database).
How can I import the intermediate/primary certificates to resolve this problem?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 10:25 PM
I proceeded as follows:
- I opened up the certificate as received from Verisign in Windows.
- Under details I selected "Copy to File..."
- I exported in the format "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" and selected "Include all certificates in the certification path if possible"
- Continued to export to the .P7B file (which was now in DER Format).
- Opened the new P7B file by double clicking on it.
- Exported Each Certificate in the .P7b file to its own .CER file (In Base 64)
- Concatenated the .CER files extracted from the .P&B file in this order: Certificate, Intermediate, Root
- Copied the concatenated result into STRUST under "Import Certificate Response".
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 9:16 PM
With sapgenpse you can do it by specifying all the certificates with -r. I haven't used STRUST to do the same but I think you should be able to import the intermediate and root certificate into the PSE before trying to import the certificate response.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 9:27 PM
Thank you for the response. I'm open to trying it.
Could you give me more details about what command/subcommand to use with sapgenpse?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 9:35 PM
To import the certificate response you use the command import_own_cert, see the documentation for details. Specify -c signedcert -r intermediate -r root.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 6:12 PM
bash-3.2$ export SECUDIR=/usr/sap/<SID>/<Instance>/sec
bash-3.2$ sapgenpse import_own_cert -p <PSENAME> -c /tmp/cert.crt -r /tmp/inter.crt -r /tmp/root.crt
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US"
Based on your advice, I think I tried it correctly.
Here is where I downloaded Verisign's Root and Intermediate certs:
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 9:36 PM
I guess you don't have the correct root and/or intermediate certificates. You can display each certificate with openssl, the chain has to be intact meaning the subject of the previous certificate has to match the issuer of the latter. You can also try to combine the root and the intermediate certificates in one and use a single -r. I can't help any further without seeing the actual certificate files.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 9:49 PM
Common Name: <redacted>
Subject Alternative Names: <redeacted>
Organization: <Redacted>
Organization Unit: <Redacted>
Locality: <Redacted>
State: Michigan
Country: US
Valid From: June 30, 2014
Valid To: July 2, 2015
Issuer: Symantec Class 3 Secure Server CA - G4, Symantec Corporation
Key Size: 2048 bit
Serial Number: 1f35ef327c4407348dbd9a9ee7e21fe7
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 9:52 PM
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:35:ef:32:7c:44:07:34:8d:bd:9a:9e:e7:e2:1f:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Validity
Not Before: Jul 1 00:00:00 2014 GMT
Not After : Jul 2 23:59:59 2015 GMT
Subject: <redacted>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:<redacted>
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF
X509v3 CRL Distribution Points:
Full Name:
URI:http://ss.symcb.com/ss.crl
Authority Information Access:
OCSP - URI:http://ss.symcd.com
CA Issuers - URI:http://ss.symcb.com/ss.crt
Signature Algorithm: sha256WithRSAEncryption
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 9:31 PM
The UI is also a bit tricky between the left context pain, the top right work area and the bottom right "clipboard" area for imports / exports.
This has tricked me several times before, although I could see the data in the bottom right pain. You still have to save it after uploading it.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2014 10:25 PM
I proceeded as follows:
- I opened up the certificate as received from Verisign in Windows.
- Under details I selected "Copy to File..."
- I exported in the format "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" and selected "Include all certificates in the certification path if possible"
- Continued to export to the .P7B file (which was now in DER Format).
- Opened the new P7B file by double clicking on it.
- Exported Each Certificate in the .P7b file to its own .CER file (In Base 64)
- Concatenated the .CER files extracted from the .P&B file in this order: Certificate, Intermediate, Root
- Copied the concatenated result into STRUST under "Import Certificate Response".
- SAP Managed Tags:
- Security
