Important update (from Sept 2017):
If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.
Recommended additional reading:
- For SAP Netweaver ABAP: 2478769 - Create certificates with subject Alternative Name (SAN) within STRUST
- For SAP Web Dispatcher: 2502649 - Creating certificates with Subject Alternative Name (SAN) through the Web Admin page
end of update.
A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.
Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.
It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note
2209439.
A quick test:
sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com
Please enter PSE PIN/Passphrase: *********
Please reenter PSE PIN/Passphrase: *********
get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR
Certificate Request:
Signed Part:
Subject :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Key:
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :2048
Attributes:
element#no="1":
Type :extensionRequest (1.2.840.113549.1.9.14)
Value 1:
Alternative names:
Significance:Non critical
Value:
element#no="1":
GeneralName :GN-dNSName:myehp7system.mydomain.com
Signature:
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature bits ( size="2048" 😞
PKCS#10 certificate request for "SAPSAN.pse":
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Importing the response:
sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse
CA-Response successfully imported into PSE "SAPSAN.pse"
Checking the content:
sapgenpse get_my_name -p SAPSAN.pse
Subject : CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Issuer : ...
Serialno : ...
KeyInfo : RSA, 2048-bit
Validity - NotBefore: ...
NotAfter : ...
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:myehp7system.mydomain.com
Time to open the PSE via STRUST, saving it as the SSL server PSE identity.
I created a new server identity, for testing purposes (Environment -> SSL Server Identities):
I used option File to open the PSE created:
Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:
The result: a SSL server PSE with SAN: