cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot create ssl certificate - my cert. request is missing "Server Authentication"

Go to solution
former_member228212
Explorer

on ‎04-15-2016 5:17 PM

0 Kudos

I'm trying to set-up SSL for our ABAP stacks (only used within our network). I generated a certificate request as per SAP Help and forwarded the file to our web team who attempted to create a certificate using Windows "certutil". Unfortunately that failed with "Denied by Policy Module", and after some investigation my colleague told me it was because the request was missing an "Enhanced Key Usage" parameter of "Server Authentication".

I can't work out where I might be able to set this. Can anyone help with this please?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

cris_hansen
Advisor
Advisor
‎04-15-2016 5:26 PM
0 Kudos

Hello Richard,

Could you clarify about the SAPCRYPTOLIB (or CommonCryptoLib) version and patch level you have used?

Is it possible to have the result from command:

          sapgenpse get_my_name -p <PSENAME.pse> -v -v 2>&1

executed via report RSBDCOS0 ? (replace <PSENAME.pse> for the actual PSE you are configuring via STRUST).

Kind regards,

Cris

Show replies
Show replies
former_member228212
Explorer
‎04-15-2016 5:52 PM
0 Kudos

Thanks Chris.

I didn't get any version info from sapgenpse unfortunately, but got this from STRUST -> Environment -> Display SSF Version:

SSFLIB Version 1.840.40 ; CommonCryptoLib

(SAPCRYPTOLIB) Version 8.4.43 (+MT) #Copyright (c)

SAP, 2011-2015#compiled for linux-gcc-4.3-x86-64#

cris_hansen
Advisor
Advisor
‎04-15-2016 6:13 PM
0 Kudos

Hi Richard,

Do you have a PSE folder in STRUST? Similar to:

I tested the SSL server Standard (SAPSSLS.pse file):

I am also using the same SAPCRYPTOLIB as you (CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.43 pl40).

Regards,

Cris

cris_hansen
Advisor
Advisor
‎04-15-2016 6:31 PM
0 Kudos

Hi Richard,

I realized that he Extended Key Usage from my certificate was added by the CA. The actual certificate response does not contain the "Server Authentication".

You can try the other way round: create a P12 (PKCS#12 package) file in Windows, so you can add all the Extended Key Usage you need, then convert P12 to PSE using sapgenpse. The new PSE can then be imported via STRUST.

Kind regards,

Cris

former_member228212
Explorer
‎04-15-2016 7:48 PM
0 Kudos

Ah, OK. That makes more sense then!

I'm off until Tuesday now. I'll chat to my Web/Windows colleague then about creating a P12 package (I'm hoping he understands that!) and will try this way around and come back with my findings.

Thanks for all your help.

Richard

cris_hansen
Advisor
Advisor
‎04-15-2016 8:04 PM
0 Kudos

Hi Richard,

During the weekend I'll create a document about the steps.

I'll publish the content as a blog.

Cheers,

Cris

Answers (0)

Ask a Question