on 04-11-2016 5:52 PM
Hi All,
We have bank interfaces integrated with PI in our landscape. Our system certificates are going to expire soon. We need to renew the certificates so that we can share the renewed public certificate with the bank and use the renewed private key to decrypt the message.
Can anyone please let me know how exactly we can renew the certificates in NWA?
Thanks in advance,
Ankit
Hello Ankit,
Please follow the below link to re-load your new certificates. You need to generate a CSR (Certificate Signing Request) and give it to your CA Authority. And the upload the response under the view ICM_SSL_<SID>.
http://scn.sap.com/docs/DOC-26145
@Raghu - The link suggested by you is for uploading 3rd party certificates. I guess Ankit is looking to renew SAP PI system certificates.
Regards,
Nitin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nitin,
I have gone through the link. In my case it is not about ssl certificate renewal (it is about renewing our certificates present under WebServiceSecurity) but I guess the same process will follow.
Point no:8, it is mentioned to send it CA for entrusted certificates. Please let me know what is the process for that, do I really need to get 3 certificates from CA? I doubt because we have only public and private key/certificates currently present under WebServiceSecurity.
Is there anything that I am missing? I just need to renew the existing certificates.
Thanks,
Ankit
Hi Nitin,
I created the new certificates by following the steps until step 6. But I don't see the below key usage parameters in certificate extensions which were present in earlier deployed certificate as below.
Certificate extensions :
[critical]
KeyUsage: digitalSignature | keyEncipherment | dataEncipherment
Do you know how these parameters can be made available? Currently, after creating the new certificate, it is blank.
Certificate extensions :
[critical]
Thanks,
Ankit
Hi Ankit,
You need to create new key. Please follow the below SAP help link for creating it -
Creating a Key Pair and Public-Key Certificate and Signing It - System Security - SAP Library
Please let me know if you face any problem.
Regards,
Nitin
Hi Nitin,
I tried as you suggested but still the key usage fields are empty.
Certificate extensions :
[critical]
Key Usage:
Does it has something to do with CA? After we send CSR request to CA then based on CSR response those entries will get populated?
Also, how we can send it to CA. Is there any link or email id that we need to send CSR request to CA?
Thanks,
Ankit
Hello Ankit,
I will try in my system and let you know why you are facing the above mentioned properly.
Getting the certificates CA signed is chargeable. You can get it CA signed through SAP or any 3rd parties like DigiCert etc.
Please find the below links for more information on the same -
http://help.sap.com/saphelp_nwpi711/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htm
Regards,
Nitin
Hi Nitin,
Ok thanks. I was just mulling over that in the existing installed certificates (both public and private), I could see those parameters, I am not sure how they got populated and if there is any significance of those parameters at all. Is anyone aware of these parameters?
KeyUsage: digitalSignature | keyEncipherment | dataEncipherment
Can I go ahead and share the new public certificate with the bank that we have created?
Also another point from my side, as you know we have created the new certificates (they have different names, can I go ahead to delete the old certificates and rename the new certificates created by the same name of old certificates. It would save the effort for making the changes in communication channel in terms of key names?)
Thanks,
Ankit
- Please check the as-is certificates -> Are they signed by a CA or are they self signed certificates. You can find that easily by exporting the public certificate and then checking if it has the certificate chain.
- Is this a productive enviornment / QA? In my opinion if you are doing a real partner integration, the certificates would have been signed by a CA.
- Do not delete your existing certificates ( atleast as of now ). Even if you want to remove obsolete entries, export the Private Key / Public key and keep them in a secure location. Atleast as a backup
Regards
Bhavesh
Can anyone please suggest?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.