cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAN certificates for SAP SSL

Go to solution
former_member277556
Explorer

on ‎03-28-2016 5:03 PM

0 Kudos

Hello,

Can we use SAN ( SubjectAltName ) certificate to attach more than one generated PSE certificates to Root CA?

Currently we have a SAN certificate registered with CN=xxx.domain.com and we were able to import it as a CSR response to SAP Java stack system on the same hostname CN=xxx.domain.com.

Now I need to register another SAP ABAP system with CN=yyy.domain.com. Certificate in root CA is registered and yyy.domain.com added so certificate`s Alt Subject.

It looks like this:

Subject: CN=xxx.domain.com, OU=Domain Control Validated

Subject (Alt.): dNSName=yyy.domain.com

However if I try to apply this certificate response in STRUST transaction I get error: Certificate response does not match PSE. Root CA is imported in to STRUST database.

So my question is can such certificates be used for ABAP/JAVA SAP systems and in SAP Host Agents?

Many thanks for responses!

Mike

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
‎03-28-2016 6:25 PM

Hello Mike,

Each time you generate a certificate request you have to sign this specific request in order to import its specific response.

You cannot generate a request and then import another response you already have signed previously.

This is how certificates work in general, not restricted to SAP software.

Cheers!

Isaías

Show replies
Show replies
former_member277556
Explorer
‎03-30-2016 6:21 PM
0 Kudos

Hi Isaías,

Thanks for the explanation.

So to answer my question. SAN type certificates are supported in SAP landscapes (ABAP,JAVA stack systems, SAP Host agents, HANA and so on.. ) as long as I follow your explanation?

Many thanks,

Mike

cris_hansen
Advisor
Advisor
‎03-31-2016 12:46 AM
0 Kudos

Hi Mike,

If you have a PKCS#12 package with your SAN certificates, then you can use sapgenpse and convert it into a PSE file.

if you don't have such package, then what Isaías mentioned is true - you need to import the response that was created based on your request (otherwise the key pair will not match).

Kind regards,

Cris

isaias_freitas
Advisor
Advisor
‎03-31-2016 12:55 AM
0 Kudos

Hello Mike,

Yes, but notice Cristiano's reply to this thread as well .

Cheers!

Isaías

Answers (0)

Ask a Question