cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to add a new Certificate in SAP Portal

Mofizur
Contributor

on ‎04-12-2016 4:03 PM

0 Kudos

Hi,

We have a NW 7.31 system with SSL configured. Earlier we were using a certificate internally signed. Now we have got a new CA signed certificate. I have imported the certificate. However when I open up the portal it seems it is still using the old signed certficate. Any idea where to bind this new certificate. I have deleted the old certificate from keystore and every other places. Any idea please.

Thanks,

Mofizur

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

cris_hansen
Advisor
Advisor
‎04-12-2016 4:41 PM
0 Kudos

Hello Mofizur,

Are you using NWA?

In the Key Storage tab (inside Certificates and Keys: Key Storage), I select the ICM_SSL_xxxxx row, which contains the ICM Server SSL credentials store.

In the 'Details of view "ICM_SSL_xxxxx"' I use the "Import CSR Response", so the new certificate is available.

Regards,

Cris

Show replies
Show replies
Mofizur
Contributor
‎04-13-2016 9:27 AM
0 Kudos

Hi Cris,

Yes I am using NWA and I am in the same path that you pointed out.

In the Key Storage tab (inside Certificates and Keys: Key Storage), I select the ICM_SSL_xxxxx row, which contains the ICM Server SSL credentials store.


I was unable to use "Import CSR Response" as it gave me an error.

So I used "Import Entry" option in ICM_SSL_xxxxx and made the certificate available there.

My Security team gave a pfx file with a private key for import.

Interestingly..when I am using https://<IP address>:443/nwa I can see it is taking the new certificate

but if I use https://<friendly URL>:443/nwa it is taking the old certificate

Appreciate your help on this please.

Thanks,

Mofizur

nitindeshpande
Active Contributor
‎04-13-2016 9:43 AM
0 Kudos

Hi Mofizur,

Please check your new certificate is IP address based or host-name based? If it is IP address based, then the DNS is not getting resolved when you are using host name in the URL.

And you need to delete the old certificate before using the new one.

Regards,

Nitin

Mofizur
Contributor
‎04-13-2016 10:00 AM
0 Kudos

Hi Nitin,

I have already deleted the old certificates and restarted SAP and rebooted the host .

I could see below but not sure how to convert that?

https://scn.sap.com/thread/1234128

iaik.asn1.CodingException: ASN1: OBJECT ID does not support getComponentAt(int)!

We could resolve this issue by converting the certificate to a base64-encoded representation. You can do this easily by double-clicking the certificate in the windows explorer and storing it as a base64-encoded one.

Thanks,

Mofizur

nitindeshpande
Active Contributor
‎04-13-2016 12:10 PM
0 Kudos

Hi Mofizur,

For Base64 encoded certificates the extension of your certificate request must be .PEM format.

Regards,

Nitin

cris_hansen
Advisor
Advisor
‎04-13-2016 12:12 PM
0 Kudos

Hi Mofizur,

In this case, you should use "Import Entry", selecting "PKCS#12 Key Pair". Then you need to inform the file name and the password to open the PKCS#12 file.

You should see a new row in the list. Now you need to rename the old "ssl-credentials" to something like "ssl-credentials-old". And the newly imported key pair should be renamed to "ssl-credentials".

Regards,

Cris

cris_hansen
Advisor
Advisor
‎04-13-2016 12:43 PM
0 Kudos

Hi Mofizur,

Actually I was partially wrong.

The steps to have the new certificate in place are below.

1) You should have a similar view. Note that my current SSL certificate will expire in 2017.

I created a new PKCS#12 file, an had the certificate request signed. The new validity is 2018.

After importing the new entry:

Note that I have now TWO "Private Key" entries. The "ssl-credentials" should be deleted and the first one renamed to "ssl-credentials". You see that the new validity date is 2018.

3) Now that you have the new certificate in place, click on the "Export View to PSE". This will make the ICM to reload the PSE file that contains the key pair used for SSL.

If you try to access the system via HTTPS, you should have the new certificate being used:

Kind regards,

Cris

Mofizur
Contributor
‎04-13-2016 2:02 PM
0 Kudos

Hi Cris,

I understood that we need SAN certificate with below details

Subject: purchase.dev.services

SAN:          regional.purchase.kdev.services

SAN            international.kdev.services

I am not aware of exact process of how to create the CSR to be sent to my CA for this. I used windows mmc to generate the CSR and got full cert + private key from the CA. But after importing it I am having the issue as described in my initial response.

I went through your blog

http://scn.sap.com/community/netweaver-as/blog/2015/10/26/subject-alternative-name-san-with-sapgenps...


But I am not sure if I have to follow the commands to generate the CSR in this case or not .


Thanks,

Mofizur

cris_hansen
Advisor
Advisor
‎04-13-2016 2:39 PM
0 Kudos

Hi Mofizur,

Yes, you can follow the steps from the blog.

The CSR can be submitted to your CA and then you can import response.

You can convert the PSE file to PKCS#12, then import it into the Key Store via NWA.

Cheers,

Cris

Mofizur
Contributor
‎04-13-2016 2:51 PM
0 Kudos

Hi Cris,

Can you please help me with the command for my scenario as I am not confident enough about the syntax.

My scenario:

Subject: purchase.dev.services

SAN:          regional.purchase.kdev.services

SAN            international.kdev.services

- create an file SAPSSLS.pse with server DName and 2 DNS as SubjectAltName

  (prompts for PSE password)

  sapgenpse gen_pse -p SAPSSLS.pse -k GN-dNSName:www.sap.com "CN=www.sap.de, DNS=www.sap.fr C=DE"

- Add Subject Alternative Names from the existing SAPSSLS.pse in the certificate

request

  (prompts for PSE password)

  sapgenpse gen_pse -p SAPSSLS.pse -j -onlyreq -r cert.p10

What would be the actual command?

Thanks,

Mofizur

cris_hansen
Advisor
Advisor
‎04-13-2016 3:06 PM
0 Kudos

Hi Mofizur,

The command would be:

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p NEWPSE.pse -k GN-dNSName:regional.purchase.kdev.services -k GN-dNSName:international.kdev.services

Then you need to enter a valid PIN:

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

Then you need to inform the DN of the certificate:

get_pse: Distinguished name of PSE owner: CN=purchase.dev.services, OU=This is a Test, OU=My Another OU, O=Organization, L=City, SP=State, C=DE

Finally, you will get the output:

Certificate Request:

  Signed Part:

    Subject     :CN=purchase.dev.services, OU=This is a Test, OU=My Another OU, O=Organization, L=City, SP=State, C=DE

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no="1":

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no="1":

                GeneralName :GN-dNSName:regional.purchase.kdev.services

              element#no="2":

                GeneralName :GN-dNSName:international.kdev.services

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" 😞

PKCS#10 certificate request for "...\sec\NEWPSE.

pse":

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----


Regards,

Cris

Ask a Question