Hi Klaus,

I'm having trouble with establishing the SSL connection. I've managed to import the certificate response but I've a doubt. When you say : 'you need to copy the root and the intermediate certificate from Verisign into the certificate response before importing it into the SSL PSE' do you mean importing the root and the intermediate certificate into the certificate list? If not, how can I copy the root and intermediate certificates into the certificate response?

Thanks in advance Klaus,

Hi,

>how can I copy the root and intermediate certificates into the certificate response?

Your certificates should be base 64 encoded.

Use a text editor (notepad for windows for exemple) and copy and paste the CA and subCA certificates in the certificate response.

You should get a text file looking like :

-

BEGIN CERTIFICATE-----

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

END CERTIFICATE-----

-

BEGIN CERTIFICATE-----

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

END CERTIFICATE-----

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

END CERTIFICATE-----

Regards,

Olivier

Hi Olivier,

Thanks for your suggestion!

Do you have to copy them in a specific order? Meaning, the txt file starts with:

-

-

BEGIN CERTIFICATE (of certificate response) -

-

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

-

END CERTIFICATE-----

-

-

BEGIN CERTIFICATE ( of subCA certificate)-----

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

-

END CERTIFICATE-----

-

-

BEGIN CERTIFICATE ( of CA certificate)-----

MIIGJDCCBY2gAwIBAgIKeAhSUQADAAAqhkiG9w0BAQUFADCBhDELMAkG

..........

-

-

END CERTIFICATE-----

or the order matters and is the other way round? I am asking this question since after cut&copy am having an error on testing the connection.

I'm getting:

'the verification of the server's certificate chain failed

Can't get path because the chain of certificates is incomplete'

I'm quite sure that all the certificates were included....

Thanks Olivier

Edited by: Gonçalo Mouro Vaz on Sep 16, 2008 1:27 PM

Hi Gonçalo,

Yes the order is important.

If I remember well, you have to put them in the order you showed.

response

subCA

rootCA

PS: if on Windows, beware of end of lines characters.

Prefer a copy and paste from notepad to STRUST than importing the file from STRUST.

Regards,

Olivier

You should also consider the use of the command line utilities, especially sapgenpse, in this case. With sapgenpse, you can put all certificate (including intermediate CA certificates) directly into the PSE.

As Klaus pointed out above, STRUST is a little bit restrictive regarding this.

Hi Sietze,

I'm still having problems importing the certificate response, I keep getting 'Issuer certificate missing in database'. Despite the fact that I've created all the entries in table STRUSTCERT and had the CA Certificates exported into the database using STRUST, when I select (in STRUST) the option 'import certificate response' I keep getting that error.

Can you tell me how can I import the certificate response using sapgenpse? And what is the difference in using sapgenpse or strust?

Thanks Sietze,

1. Use "sapgenpse gen_pse" for creating a PSE.

2. Use "sapgenpse gen_pse -r" for generating a PKCS#10 request.

3. Get this request signed by your CA.

4. Use "sapgenpse import_own_cert" for importing the certificate chain back. You'll have to add all (sub) CA certificate in this file as well.

5. Import the resulting pse into STRUST.

Another way to do this is using Windows where you can also do these operations via a GUI. At the end, you'll have to export everything in PKCS#12 format (file ending is .pfx), use sapgenpse to convert the .pfx file into a PSE (file ending .pse) and import this file into STRUST.

Still confused? This is all from memory, so I hope I didn't forget an important step! It would take a few hours to make screen shots and so on. Perhaps I'll put such instructions in a blog sometime in the future....