on 01-05-2016 9:14 PM
I recently started receiving a notice of an expiring PSE cert when I logged into my BW instance. I ran the SE38 report SSF_ALERT_CERTEXPIRE and saw which one was causing the issue in STRUST.
I have a few questions related to this issue as I've troubleshot how to update the cert.
How do I set the Own Cert to by from my CA rather than a self-signed Cert?
I noticed that for all other PSEs the Own Certificate was self-signed except for the SSL server Standard Node. To get the node to turn back green I had to replace the current Own Certificate but it did it when a self-signed. I also added my local CAs cert to the Certificate List. Is this a problem?
What's the relationship between the Own Certificate and the Certificate List underneath it?
I'm working with my Infrastructure team and they are using a Windows Server CA to generate the cert. Since they aren't familiar with SAP and I'm not familiar with the Microsoft CA tools I'm curious if someone who might know both sides of it could help me navigate both side of this with my team.
Hello Robert,
How do I set the Own Cert to by from my CA rather than a self-signed Cert?
You have to generate a certificate request, through STRUST (there is a "create certificate rewuat" button near the "owner" field).
Then, send this request to your CA and when it sends the response, you import the response back at STRUST.
I noticed that for all other PSEs the Own Certificate was self-signed except for the SSL server Standard Node. To get the node to turn back green I had to replace the current Own Certificate but it did it when a self-signed. I also added my local CAs cert to the Certificate List. Is this a problem?
No. You just need to proceed as indicated in the previous answer .
What's the relationship between the Own Certificate and the Certificate List underneath it?
"Own certificate" is the certificate itself. The certificate that will be presented to the clients, when connecting to SAP (since we are talking about the server certificate).
The "certificate list" underneath is a list of other certificates imported to the server PSE file.
Why would you need to import other certificates there? If a client has to authenticate itself using a certificate, the certificate of the CA that signed the clients' certificates has to be imported to the server PSE, so SAP can confirm the client's identity (which is possible only when you have the certificate of the CA that created the client certificate).
I'm working with my Infrastructure team and they are using a Windows Server CA to generate the cert. Since they aren't familiar with SAP and I'm not familiar with the Microsoft CA tools I'm curious if someone who might know both sides of it could help me navigate both side of this with my team.
Handover the certificate request you generated through STRUST to your infrastructure team.
They have to use the Windows CA tools to sign it, and handover the response to you.
Once you import the response at STRUST, the self-signed certificate will be replaced by your CA signed certificate.
Cheers!
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks!
You can ask them to provide a "PKCS#7" response. This will include the CA certificate, any intermediate CA certificates and the signed certificate all in one ".cer" file.
If they cannot provide that, a regular "x.509 .cer" file will suffice.
You would just need to copy/paste the CA certificate, any intermediate CA certificates and the signed certificate (all together) at the "import" field of STRUST.
Cheers!
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.