How to allow expired certificate for SSL in TREX

remensperger_m · ‎05-20-2008

Hello,

we are running a SAP Test-Portal EP 7.00 SP12 which is accessable via webdispatcher. We use SSL between Browser and webdispatcher and SSL is terminated on the webdispatcher. For SSL we use a test-certificate issued by an official CA, which has expired in the meantime. For test purposes it is sufficient to accept the browser-pop-up notifying about the expired Zertificate when we sign into the Test-Portal. We have also connected a Test-TREX 7.0 Build 25 to the Test-Portal and we have configured the TREX for using SSL by importing the Root- and Own-certificate from the webdispatcher into the pse of the TREX. The TREX Preprocessor however cannot handle the expired certificate and the Repositories couldn't be indexed any more since the expiration of the test-certificate. Is it possible to tell the TREX to ignore the expired certificate, since a) we dont't want to buy an official certificate for a test landscape, b) we don't want to renew the test certificate every 4 weeks and c) we dont't want to implement home-made certificates for this purpose. We tried the last option before we got the test-certificate from the CA but without success.

Is there a way to tell the TREX to accept "expired" or "unsecure" certificates for SSL?

Best regards

Michael Remensperger

WolfgangJanzen · ‎05-21-2008

For test purposes you can obtain a SSL server certificate from the SAP Trust Center Service: http://service.sap.com/ssltest

For productive use you should definitely invest in a proper SSL server certificate - also to avoid those annoying browser popups. Notice: any SSL client is allowed to reject expired certificates or certificates which cannot be verified (e.g. because of an untrusted CA or "incomplete trust chain"). It's just a kindness of your browser to offer the warning mode. Not all SSL clients are able to interact with the user to decide how to handle such situations; treating such error situations as error is absolutely o.k.

PS: operating your own CA (being able to define your own policy regarding certificate expiration) is a valid option - but it requires some technological knowledge.

remensperger_m · ‎05-21-2008

Hello Wolfgang,

thank you for the answer. For our productive environment we already use a certificate chain, issued by an official CA. The option to get a test certificate from SAP Trust Center is not an option, since the certificate will work just for eight weeks. As far I understand from your answer, there is definitly no way to tell TREX (which acts as the client) to ignore the expired certificate by using an option or parameter, giving the same kindness to TREX because I-know-that-there-is-an-expired-certificate-but-I-tell-you-TREX-to-ignore-this!

I'm afraid that we have to create our own certificate to get rid of applying for test-certifcates an installing them into the pse's again and again

Best regards

Michael

WolfgangJanzen · ‎05-21-2008

> I'm afraid that we have to create our own certificate to get rid of applying for test-certifcates an installing them into the pse's again and again

Yes, that's the best approach.

BTW: a SSL server certificate does not need to be issued by any CA - it can also be a self-signed certificate (with a validity until the year 2038 ...). In that case you need to import that self-signed certificate into the keystore of the SSL client to declare it "trust-worthy" (by default it's not, of course)

Alternatively you can operate your own CA (and issue the certificate with a validity until the year 2038 ...). In that case you need to import your CA's root certificate (and potentially also the certificates of any intermediate CAs) to your SSL client's keystore.

Cheers, Wolfgang