on 11-20-2014 6:01 PM
Hi All,
I am trying to access a webshop on portal which is using HTTPS service.
SSL is enabled. Log on is successful but when we try to navigate inside the webshop , We are getting
"Peer certificate rejected by ChainVerifier".
We have Netweaver 701 EP
Backup is ECC 6.0
SAP ABAP CRM 7.0
Oracle 11g
I don't seem to find any error log/trace regarding this . Whether this is SSO related or SSL?
I have checked the validity of SSL certificate and it is fine.
I have already checked the following post on the issue
http://scn.sap.com/thread/1000720
But the instructions of note 694290 to import the certificate chain should not be valid for Portal 701.
Can you point me to the root cause so I can resolve this?
Thanks,
rakesh
Hi Rakesh,
You will get this error generally when SSL certificate chain is incomplete.
I had this issue in past for external interface from PI.
The issue was solved after importing Root and Intermediate certificates of original SSL certificate to Visual Admin Trusted CA.
If you are using SSL certificate issued by any Trusted CA, you can get their root and intermediate certificate, from the same SSL certificate. open certificate and navigate to certificate path and click on each parent certificate and click on view certificate. In new window, you can go to Details and use Copy to file option to download..
Regards,
Sharath.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you sharath for your response.
Can you please specify the steps to import the intermediate and root certificate which I already have?
Correct me if I am wrong:
1. go to visual admin with adminitrator/apssword
2.server->services> key storage-> TrustedCAs--
Can you tell me what option is correct to import my intermediate/root certs?
My guess is Load.
Thanks.,
Rakesh
Hi Rakesh,
The visual admin path you mentioned is correct. You might have your SSL certificate like below.
Select each entry except last one and click on View Certificate. You will get another certificate pop-up in which, you can go to Details tab and click on Copy to File. Using wizard you can that certificate to a file. You can select Base-64 while saving.
Use above process to save all certificates and move them to server and import to Visual Admin - Trusted CAs View.
Regards,
Sharath.
Thanks Again...
I have bene able to find the root cause of my issue.
The intermediate/Root chain is not properly imported.
See the original setup, :
And now see the faulty, cloned setup:
But the question remains, how do I import just intermediate and root certificate which I have copied from original setup .
My question is, How can I import my intermediate and root certs in key storage? which option to selecct.
Maybe a silly qs but I need your help
Thanks,
Rakesh
Sharath one last time I need to bug you 🙂
My quest for solution isn't finished yet:-(
I have 3 files server.crt, intermediate.crt,root.cert
Now when I go to VA-->key storage-->TrustedCA>
When I click on Load, the file selector pops up and I select server.crt and it is loaded. I again click on Load and , file selector pops up and I select Intermediate.crt and next I click on Load and selct root.crt
Now I have three entries in key storage -->TrustedCAs which doesn't seem right.
I think I have messed up somewhere?
How much I want to apply 694290 - SAP J2EE: react on expiration of VeriSign CA certificates to my case which is SAP J2EE /7....
which seems to the solution to my problem,
But not sure how this applies to my case.,
Regards,
rakesh
Hi Rakesh,
service_ssl is used to store your own system's SSL certificates. TrustedCA will contail the certificates from various Certificate Authorities.
To better understand the issue, increase the trace level to debug for location for which you are getting the error and reproduce the issue. Then attach the complete default trace. Increased trace level will show which SSL certificate is missing in the chain.
Regards,
Sharath.
User | Count |
---|---|
93 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.