Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Subject Alternative Name (SAN) with sapgenpse (CommonCryptoLib)

cris_hansen
Advisor
Advisor
‎10-26-2015 10:39 PM


Important update (from Sept 2017):

If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.

Recommended additional reading:

  • For SAP Netweaver ABAP: 2478769 - Create certificates with subject Alternative Name (SAN) within STRUST

  • For SAP Web Dispatcher: 2502649 - Creating certificates with Subject Alternative Name (SAN) through the Web Admin page


end of update.

 

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.

 

A quick test:

 

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com

 

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no="1":

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no="1":

                GeneralName :GN-dNSName:myehp7system.mydomain.com

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" 😞

 

PKCS#10 certificate request for "SAPSAN.pse":

 

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----

 

 

Importing the response:

 

sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse

 

CA-Response successfully imported into PSE "SAPSAN.pse"

 

 

Checking the content:

 

sapgenpse get_my_name -p SAPSAN.pse

 

Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   ...

Serialno              :   ...

KeyInfo               :   RSA, 2048-bit

Validity  -  NotBefore:   ...

             NotAfter :   ...

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com

 

 

Time to open the PSE via STRUST, saving it as the SSL server PSE identity.

 

I created a new server identity, for testing purposes (Environment -> SSL Server Identities):



 

I used option File to open the PSE created:



 

Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:



 

The result: a SSL server PSE with SAN:



10 Comments
Labels in this area
Popular Blog Posts