Solved: How import https root (*.domain.nl) certificate fr...

f_roels · ‎04-13-2007

Hello,

We obtained a *.domain.nl certificate which we succesfully implemented on our mail servers etc. Now we also want to use the same certificate(s) for SAP. But how can you make https work correctly, importing this certificate, without having an export from SAP in STRUST? The SAP system has a domain name within *.domain.nl.

With regards,

Frank Roels

Former Member · ‎04-13-2007

Frank,

I don't think this is a good idea. It's better to have a separate ceritificate for each SAP server.

Assuming that the mail certificate is in PKCS#12 format:

1. Download and install the SAP Crypto Library.

2. Use the commandline tool sapgenpse to convert the PKCS#12 file into the .pse format.

3. Import the pse file into SAP using the Transaction STRUST.

I am Dutch but live and work in Germany and the company I work for is doing consulting for this type of problem (look at www.secude-consulting.com).

Cheers,

Sietze

Former Member · ‎04-13-2007

Frank,

I don't think this is a good idea. It's better to have a separate ceritificate for each SAP server.

Assuming that the mail certificate is in PKCS#12 format:

1. Download and install the SAP Crypto Library.

2. Use the commandline tool sapgenpse to convert the PKCS#12 file into the .pse format.

3. Import the pse file into SAP using the Transaction STRUST.

I am Dutch but live and work in Germany and the company I work for is doing consulting for this type of problem (look at www.secude-consulting.com).

Cheers,

Sietze

f_roels · ‎04-13-2007

Hello Sietze,

The steps you mention is that for reusing the certificate? So I can use the export certificate from the other server en convert to pse format.

And then: I have to delete the current PSE en import the generated one?

With regards,

Frank (dutch) Roels

Former Member · ‎04-13-2007

Frank,

This is for reusing the certificate.

Please check the following points:

You also need the private key associated with the certificate (that should be in the PKCS#12 file).
Browsers check the CN part with the domain name of the machine contacted. This entry must be the same. This will not work if you're reusing certificates obviously.
You can leave the System PSE alone as this one will not be used for https connections. After you install the SAP Crypto Library you will see more PSE types in STRUST.

groeten,

Sietze

f_roels · ‎04-13-2007

Hi Sietze,

Thank you for this info.

I already have the SAP Crypto installed. I see the Server SSL-PSE option along with client etc. So I meant to delete the Server SLL-PSE.

Then I generate the PSE from the exported private key from the other server. I import it via the function file (and then I will be automatically placed in the Server-SSL-PSE???). After this I can import the certificate!

Is this all correct?

I will try this tonight because I am at another client and will reward the points.

With regards,

Frank

Former Member · ‎04-13-2007

Frank:

Under the "File" menu, there is a option "save as...". In the next dialogue box you can then specify where the PSE needs to be saved to.

Cheers,

Sietze

f_roels · ‎04-16-2007

Thank you Sietze,

It's solved. I used the exported certificates. I have to stop and start SAP and after that is works perfect.

Thank you very much

How import https root (*.domain.nl) certificate from other server (STRUST)