Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Client Certificate Authentication with Self-signed Certificates

Hi Experts.

I am working with a client who wants to allow access to its AS2 services (SAP B2B Addon)  ONLY through X.509 Client Certificate Authentication.

Fig 1.  Just an example of how partners will configure our services.

We've been arguing about if this options can be used with self-signed certificates (OPTION 1) or if we can ONLY use certificates issue by a

Certification Authority (CA) as part of a public-key infrastructure (PKI) or a Trust Center Service (like VeriSign) (OPTION 2) .

The following SAP documentations explain that this can be done with OPTION 2

https://help.sap.com/saphelp_nw70ehp1/helpdata/en/62/881e3e3986f701e10000000a114084/content.htm?frameset=/en/b0/881e3e3986f701e10000000a114084/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=36&show_children=false

https://help.sap.com/saphelp_nw73/helpdata/en/4f/991d85b10c16c7e10000000a42189d/content.htm

There are some SAP consultants that said that this can be done with self-signed certificates. But none of them have explained how can this be achieved. We run the authentication with TrustedCAs Certs and run OK!. With Selfsigned Cert doesn't run..  (see both logs on following picture.)

I need a official stand from SAP about Self signed cert and Certificate authentication.  Or I need a way to configured this scenario with Selfsigned certs. Any comments will be appreciated.

Regards
Henry

Former Member
replied

Hey Henry,

Great news, I have a partner that runs exactly this way!  There are a few more things to check.

1. Is the certificate a wildcard (eg "*.abc123.com")?  I have never been able to get a wildcard to work for client authentication.

2. Is the self-signed certificate actually able to be used for client authentication?  It needs to be explicitly defined if you built it in OpenSSL for example.

To check, you can open it in Windows and it should say "Proves your identity to a remote computer."  If it doesn't say that you can also see if Enhanced Key Usage on the Details tab contains "Client Authentication (1.3.6.1.5.5.7.3.2)".  Note: "All issuance policies" or "All application policies" does not necessarily mean that it has client authentication.

I have seen certificates that do not contain that information because of how it was designed.  This command should be able to tell you for sure.

openssl x509 -in <certificate to check> -purpose -noout -text.  I grabbed it from openssl - how to read the keyusage of a X509 V3 certificate? - Stack Overflow

3. Finally, the certificate could be corrupt.  If you're testing internal, you can build a new certificate.  These are the commands that I wrote for the partner to create a self-signed certificate that they use for client authentication.  You may need to retype the commands, sometimes copy/paste messes up the dashes

Create the cert:

openssl req -x509 -newkey rsa:2048 -keyout <certkey>.pem -out <certname>.pem -days 730

Add client authentication:

openssl x509 -in <certname>.pem -addtrust clientAuth

Export the private key (keep this safe!):

openssl pkcs12 -export -out <certificate1>.pfx -inkey <certkey>.pem -in <certname>.pem

Get the public key:

openssl pkcs12 -in <certificate1>.pfx -clcerts -nokeys -out <public_cert>.pem

Let me know how that goes for you.

Andrew

0 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question