cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AS2 certificate renewal

Go to solution
Former Member

on ‎04-11-2016 5:52 PM

0 Kudos

Hi All,

We have bank interfaces integrated with PI in our landscape. Our system certificates are going to expire soon. We need to renew the certificates  so that we can share the renewed public certificate with the bank and use the renewed private key to decrypt the message.

Can anyone please let me know how exactly we can renew the certificates in NWA?

Thanks in advance,

Ankit

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nitindeshpande
Active Contributor
‎04-11-2016 7:15 PM
0 Kudos

Hello Ankit,

Please follow the below link to re-load your new certificates. You need to generate a CSR (Certificate Signing Request) and give it to your CA Authority. And the upload the response under the view ICM_SSL_<SID>.

http://scn.sap.com/docs/DOC-26145

@Raghu - The link suggested by you is for uploading 3rd party certificates. I guess Ankit is looking to renew SAP PI system certificates.

Regards,

Nitin

Show replies
Show replies
Former Member
‎04-11-2016 7:17 PM
0 Kudos

Yes correct Nitin. I am looking to renew SAP PI system certificates. Let me check the link provided by you. Thanks.

former_member186851
Active Contributor
‎04-11-2016 7:19 PM
0 Kudos

Ok..Got it Nithin..Thanks for the correction .:)

Former Member
‎04-12-2016 7:41 AM
0 Kudos

Hi Nitin,

I have gone through the link. In my case it is not about ssl certificate renewal (it is about renewing our certificates present under WebServiceSecurity) but I guess the same process will follow.

Point no:8, it is mentioned to send it CA for entrusted certificates. Please let me know what is the process for that, do I really need to get 3 certificates from CA? I doubt because we have only public and private key/certificates currently present under WebServiceSecurity.

Is there anything that I am missing? I just need to renew the existing certificates.

Thanks,

Ankit

Former Member
‎04-12-2016 11:39 AM
0 Kudos

Any pointers please

nitindeshpande
Active Contributor
‎04-12-2016 12:12 PM
0 Kudos

Hi Ankit,

It is not mandatory to have the certificates CA signed. You can use it, without that too. Please go ahead with uploading of the new certificate.

Regards,

Nitin

Former Member
‎04-12-2016 12:20 PM
0 Kudos

Hi Nitin,

I created the new certificates by following the steps until step 6. But I don't see the below key usage parameters in certificate extensions which were present in earlier deployed certificate as below.

Certificate extensions      :

   [critical]

         KeyUsage: digitalSignature | keyEncipherment | dataEncipherment

Do you know how these parameters can be made available? Currently, after creating the new certificate, it is blank.

Certificate extensions      :

   [critical]

Thanks,

Ankit

nitindeshpande
Active Contributor
‎04-12-2016 6:49 PM
0 Kudos

Hi Ankit,

There is something missed while creating the certificate along with key pair. Can you please try creating it again?

Regards,

Nitin

Former Member
‎04-13-2016 4:35 AM
0 Kudos

Hi Nitin,

I did not select the key pair option while creating the certificate. Can you please let me know which key pair should I use, the existing private key? Can we use the existing private key as key pair which is going to expire or there is some other way?

Thanks,

Ankit

nitindeshpande
Active Contributor
‎04-13-2016 8:17 AM
0 Kudos

Hi Ankit,

You need to create new key. Please follow the below SAP help link for creating it -

Creating a Key Pair and Public-Key Certificate and Signing It - System Security - SAP Library

Please let me know if you face any problem.

Regards,
Nitin

Former Member
‎04-13-2016 12:31 PM
0 Kudos

Hi Nitin,

I tried as you suggested but still the key usage fields are empty.

Certificate extensions      :

   [critical]

Key Usage:

Does it has something to do with CA? After we send CSR request to CA then based on CSR response those entries will get populated?

Also, how we can send it to CA. Is there any link or email id that we need to send CSR request to CA?

Thanks,

Ankit

nitindeshpande
Active Contributor
‎04-13-2016 12:48 PM
0 Kudos

Hello Ankit,

I will try in my system and let you know why you are facing the above mentioned properly.

Getting the certificates CA signed is chargeable. You can get it CA signed through SAP or any 3rd parties like DigiCert etc.

Please find the below links for more information on the same -

http://help.sap.com/saphelp_nwpi711/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htm

https://support.sap.com/tcs

https://support.sap.com/support-programs-services/services/trust-center/ssl-server-certificates.html...


Regards,

Nitin

nitindeshpande
Active Contributor
‎04-13-2016 1:07 PM
0 Kudos

Hello Ankit,

I tried creating a certificate key pair now and i also got the same entry in certificate extensions. Also i checked the SSL certificates which is blank too in certificate extensions field. Hence you need not worry about this.

Regards,

Nitin

Former Member
‎04-13-2016 2:22 PM
0 Kudos

Hi Nitin,

Ok thanks. I was just mulling over that in the existing installed certificates (both public and private), I could see those parameters, I am not sure how they got populated and if there is any significance of those parameters at all. Is anyone aware of these parameters?

KeyUsage: digitalSignature | keyEncipherment | dataEncipherment

Can I go ahead and share the new public certificate with the bank that we have created?

Also another point from my side, as you know we have created the new certificates (they have different names, can I go ahead to delete the old certificates and rename the new certificates created by the same name of old certificates. It would save the effort for making the changes in communication channel in terms of key names?)

Thanks,

Ankit

Former Member
‎04-13-2016 4:40 PM
0 Kudos

Anyone having insight please?

nitindeshpande
Active Contributor
‎04-14-2016 7:07 AM
0 Kudos

Hello Ankit,

This question i cannot really answer from PI end. Its completely related to Network Security and may be your Basis team can help you with this.

But i guess this should not be a problem. You can go ahead and provide the certificates.

Regards,

Nitin

bhavesh_kantilal
Active Contributor
‎04-14-2016 8:14 AM
0 Kudos

- Please check the as-is certificates -> Are they signed by a CA or are they self signed certificates. You can find that easily by exporting the public certificate and then checking if it has the certificate chain.

- Is this a productive enviornment / QA? In my opinion if you are doing a real partner integration, the certificates would have been signed by a CA.

- Do not delete your existing certificates ( atleast as of now ). Even if you want to remove obsolete entries, export the Private Key / Public key and keep them in a secure location. Atleast as a backup

Regards

Bhavesh

Answers (2)

Answers (2)

Former Member
‎04-12-2016 5:22 PM
0 Kudos

Can anyone please suggest?

Show replies
Show replies
former_member186851
Active Contributor
‎04-11-2016 6:07 PM
0 Kudos

Hello Ankit.

After getting the new certificates import as mentioned in the below link

Show replies
Show replies
Ask a Question