cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Validity of certificate with PSE type >server SSL< ends in 2 days

Go to solution
Former Member

on ‎08-27-2015 6:50 PM

0 Kudos

Hi community

we have next SAP System: 

  • SAP CRM ABAP 7.0, Windows Server 2008 R2,, Sql Server 2008 R2, High availability with two Instances in Windows Cluster.

Today SAP Logon is showing next message:

Validity of certificate with PSE type >server SSL< ends in 2 days

I know this is because a certificate will expire soon however I have some doubts about the process to generate a new certificate.

If I go to tcode strust I can see next screenshot:

I was expecting find the current SSL certificate however I can't see nothing.

If I execute the report: "SSF_ALERT_CERTEXPIRE"

I see next screenshot:

So I'm not sure which is the certificate that I have to replace and  what could be the correct steps

thanks in advance.

best regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

guilherme_deoliveira
Participant
‎08-27-2015 11:24 PM

Hello Alfredo,

Which is the value of your SECUDIR environment variable? Please, check in this folder (the SECUDIR folder) if you have any PSE rather than SAPSYS.pse... if you have SAPSSL* pses, then it is probably these pses that have the certificate expired but they're not maintained in STRUST.

You can also double check in table SSF_PSE_H if you have any SAPSSL* pse there as well.

I hope this guides you.

Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Show replies
Show replies
Former Member
‎08-28-2015 12:07 AM
0 Kudos

thanks  Guilherme

I have checked  the SECUDIR folder and you have reason I have next files:

cred_v2

LasVerify.pse

OLDSAPSSLS.pse

SAP_AGS_OLCNT_VERIFY.pse

SAPSSLS.pse

SAPSYS.pse

ticket

and in SSF_PSE_H table I have just  two entries

SAP_AGS_OLCNT_VERIFY.pse

SAPSYS.pse

so where I could generate the new cert request for SAPSSLS.pse?

best regards

guilherme_deoliveira
Participant
‎08-28-2015 12:10 AM
0 Kudos

Hello Alfredo,

Now you can either backup this SAPSSLS.pse in another folder and create a new one via STRUST or you can import this PSE file in STRUST, save it as SSL Server PSE and then renew the certificate from STRUST itself.

Notice that this does not mean that the certificate of PSE is about to expire, it can also be any certificate imported in the Certificate List of the PSE as well.

I hope this clarifies.

Best Regards,

Guilherme de Oliveira
SAP Active Global Support

Former Member
‎08-28-2015 12:52 AM
0 Kudos

Excellent

I'm  trying with the second option but I can't save the import certificate

I'm in tcode strust > SSL standar Server > PSE > Import > SAPSSL.pse > cert is loaded >and save

but the cert is not being saved

do you have any idea?

best regards

guilherme_deoliveira
Participant
‎08-28-2015 5:20 PM
0 Kudos

Hello Alfredo,

Go to STRUST -> Double click on File node -> Import the PSE -> Menu PSE -> Save As -> SSL Server PSE.

This should work.

Best Regards,

Guilherme de Oliveira

SAP Active Global Support

Former Member
‎08-28-2015 5:54 PM
0 Kudos

Thanks a lot Guillherme it worked

now I have one doubt more,  we have two instances in High Avalaibility,  so we have two secudir folders each one in respective Server and path and each one has a SSL.PSE referenced to the name of server node.

but strust just allow load one cert  if I try load the second the other is substituted,

do you have any idea?

best regards

guilherme_deoliveira
Participant
‎09-01-2015 2:25 PM
0 Kudos

Hello Alfredo,

I'm not sure if I correctly understood your question... By load the certificate you mean the PSE's certificate (importing a certificate response) or you mean importing a certificate into the PSE's Certificate List?

Notice that if you want to load different signed CN names for different instances, then the CA-signed certificate responses must be different as well.

I'll be waiting for more information to be able to provide you a better answer.

Best Regards,

Guilherme de Oliveira

SAP Active Global Support

Answers (1)

Answers (1)

former_member188883
Active Contributor
‎08-27-2015 10:09 PM
0 Kudos

Hi Alfredo,

Please check the certificate details in STRUSTSSO2.

Regards,

Deepak Kori

Show replies
Show replies
Former Member
‎08-27-2015 10:36 PM
0 Kudos

Hi Deepak

tcode STRUSTSSO2 looks very similar to the STRUST, but in both cases I can't see what is the certificate that I have to change,

the message of error said that the type is:

SSL Server

however  STRUST or STRUSTSSO2  "SSL Server Standard"   does't have a current certificate,

where I should generate the cert request to substitute the other one?

best regards

former_member188883
Active Contributor
‎08-27-2015 11:09 PM
0 Kudos

Hi Alfredo,

From 1st image I see some message about PSE file not loading properly.

Could you check SM21 for more details for this certificate.

From 2nd image I see that you have a Portal certificate applied here. please check validity for the same as well.

Regards,

Deepak Kori

Ask a Question