on 04-12-2016 4:03 PM
Hi,
We have a NW 7.31 system with SSL configured. Earlier we were using a certificate internally signed. Now we have got a new CA signed certificate. I have imported the certificate. However when I open up the portal it seems it is still using the old signed certficate. Any idea where to bind this new certificate. I have deleted the old certificate from keystore and every other places. Any idea please.
Thanks,
Mofizur
Hello Mofizur,
Are you using NWA?
In the Key Storage tab (inside Certificates and Keys: Key Storage), I select the ICM_SSL_xxxxx row, which contains the ICM Server SSL credentials store.
In the 'Details of view "ICM_SSL_xxxxx"' I use the "Import CSR Response", so the new certificate is available.
Regards,
Cris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Cris,
Yes I am using NWA and I am in the same path that you pointed out.
In the Key Storage tab (inside Certificates and Keys: Key Storage), I select the ICM_SSL_xxxxx row, which contains the ICM Server SSL credentials store.
I was unable to use "Import CSR Response" as it gave me an error.
So I used "Import Entry" option in ICM_SSL_xxxxx and made the certificate available there.
My Security team gave a pfx file with a private key for import.
Interestingly..when I am using https://<IP address>:443/nwa I can see it is taking the new certificate
but if I use https://<friendly URL>:443/nwa it is taking the old certificate
Appreciate your help on this please.
Thanks,
Mofizur
Hi Nitin,
I have already deleted the old certificates and restarted SAP and rebooted the host .
I could see below but not sure how to convert that?
https://scn.sap.com/thread/1234128
iaik.asn1.CodingException: ASN1: OBJECT ID does not support getComponentAt(int)!
We could resolve this issue by converting the certificate to a base64-encoded representation. You can do this easily by double-clicking the certificate in the windows explorer and storing it as a base64-encoded one.
Thanks,
Mofizur
Hi Mofizur,
In this case, you should use "Import Entry", selecting "PKCS#12 Key Pair". Then you need to inform the file name and the password to open the PKCS#12 file.
You should see a new row in the list. Now you need to rename the old "ssl-credentials" to something like "ssl-credentials-old". And the newly imported key pair should be renamed to "ssl-credentials".
Regards,
Cris
Hi Mofizur,
Actually I was partially wrong.
The steps to have the new certificate in place are below.
1) You should have a similar view. Note that my current SSL certificate will expire in 2017.
I created a new PKCS#12 file, an had the certificate request signed. The new validity is 2018.
After importing the new entry:
Note that I have now TWO "Private Key" entries. The "ssl-credentials" should be deleted and the first one renamed to "ssl-credentials". You see that the new validity date is 2018.
3) Now that you have the new certificate in place, click on the "Export View to PSE". This will make the ICM to reload the PSE file that contains the key pair used for SSL.
If you try to access the system via HTTPS, you should have the new certificate being used:
Kind regards,
Cris
Hi Cris,
I understood that we need SAN certificate with below details
Subject: purchase.dev.services
SAN: regional.purchase.kdev.services
SAN international.kdev.services
I am not aware of exact process of how to create the CSR to be sent to my CA for this. I used windows mmc to generate the CSR and got full cert + private key from the CA. But after importing it I am having the issue as described in my initial response.
I went through your blog
But I am not sure if I have to follow the commands to generate the CSR in this case or not .
Thanks,
Mofizur
Hi Cris,
Can you please help me with the command for my scenario as I am not confident enough about the syntax.
My scenario:
Subject: purchase.dev.services
SAN: regional.purchase.kdev.services
SAN international.kdev.services
- create an file SAPSSLS.pse with server DName and 2 DNS as SubjectAltName
(prompts for PSE password)
sapgenpse gen_pse -p SAPSSLS.pse -k GN-dNSName:www.sap.com "CN=www.sap.de, DNS=www.sap.fr C=DE"
- Add Subject Alternative Names from the existing SAPSSLS.pse in the certificate
request
(prompts for PSE password)
sapgenpse gen_pse -p SAPSSLS.pse -j -onlyreq -r cert.p10
What would be the actual command?
Thanks,
Mofizur
Hi Mofizur,
The command would be:
sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p NEWPSE.pse -k GN-dNSName:regional.purchase.kdev.services -k GN-dNSName:international.kdev.services
Then you need to enter a valid PIN:
Please enter PSE PIN/Passphrase: *********
Please reenter PSE PIN/Passphrase: *********
Then you need to inform the DN of the certificate:
get_pse: Distinguished name of PSE owner: CN=purchase.dev.services, OU=This is a Test, OU=My Another OU, O=Organization, L=City, SP=State, C=DE
Finally, you will get the output:
Certificate Request:
Signed Part:
Subject :CN=purchase.dev.services, OU=This is a Test, OU=My Another OU, O=Organization, L=City, SP=State, C=DE
Key:
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :2048
Attributes:
element#no="1":
Type :extensionRequest (1.2.840.113549.1.9.14)
Value 1:
Alternative names:
Significance:Non critical
Value:
element#no="1":
GeneralName :GN-dNSName:regional.purchase.kdev.services
element#no="2":
GeneralName :GN-dNSName:international.kdev.services
Signature:
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature bits ( size="2048" 😞
PKCS#10 certificate request for "...\sec\NEWPSE.
pse":
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Regards,
Cris
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.