04-13-2007 7:52 AM
Hello,
We obtained a *.domain.nl certificate which we succesfully implemented on our mail servers etc. Now we also want to use the same certificate(s) for SAP. But how can you make https work correctly, importing this certificate, without having an export from SAP in STRUST? The SAP system has a domain name within *.domain.nl.
With regards,
Frank Roels
04-13-2007 8:43 AM
Frank,
I don't think this is a good idea. It's better to have a separate ceritificate for each SAP server.
Assuming that the mail certificate is in PKCS#12 format:
1. Download and install the SAP Crypto Library.
2. Use the commandline tool sapgenpse to convert the PKCS#12 file into the .pse format.
3. Import the pse file into SAP using the Transaction STRUST.
I am Dutch but live and work in Germany and the company I work for is doing consulting for this type of problem (look at www.secude-consulting.com).
Cheers,
Sietze
04-13-2007 8:43 AM
Frank,
I don't think this is a good idea. It's better to have a separate ceritificate for each SAP server.
Assuming that the mail certificate is in PKCS#12 format:
1. Download and install the SAP Crypto Library.
2. Use the commandline tool sapgenpse to convert the PKCS#12 file into the .pse format.
3. Import the pse file into SAP using the Transaction STRUST.
I am Dutch but live and work in Germany and the company I work for is doing consulting for this type of problem (look at www.secude-consulting.com).
Cheers,
Sietze
04-13-2007 10:03 AM
Hello Sietze,
The steps you mention is that for reusing the certificate? So I can use the export certificate from the other server en convert to pse format.
And then: I have to delete the current PSE en import the generated one?
With regards,
Frank (dutch) Roels
04-13-2007 10:47 AM
Frank,
This is for reusing the certificate.
Please check the following points:
You also need the private key associated with the certificate (that should be in the PKCS#12 file).
Browsers check the CN part with the domain name of the machine contacted. This entry must be the same. This will not work if you're reusing certificates obviously.
You can leave the System PSE alone as this one will not be used for https connections. After you install the SAP Crypto Library you will see more PSE types in STRUST.
groeten,
Sietze
04-13-2007 12:10 PM
Hi Sietze,
Thank you for this info.
I already have the SAP Crypto installed. I see the Server SSL-PSE option along with client etc. So I meant to delete the Server SLL-PSE.
Then I generate the PSE from the exported private key from the other server. I import it via the function file (and then I will be automatically placed in the Server-SSL-PSE???). After this I can import the certificate!
Is this all correct?
I will try this tonight because I am at another client and will reward the points.
With regards,
Frank
04-13-2007 12:31 PM
Frank:
Under the "File" menu, there is a option "save as...". In the next dialogue box you can then specify where the PSE needs to be saved to.
Cheers,
Sietze
04-16-2007 8:54 PM
Thank you Sietze,
It's solved. I used the exported certificates. I have to stop and start SAP and after that is works perfect.
Thank you very much