on 06-28-2013 2:04 PM
Hello SSL experts!!!
I understand that the standard process to setup SSL is to generate a CSR and then import the response.
However, my company's IT folks have what they are terming a "global SSL" signed cert for *.<domain>.net"
For other internal IIS-based web applications they were able to import this certificate ~directly.
In order to not have to purchase and maintain another signed cert, they would like for me to see if we can do the same thing with our ABAP ERP system (SAPKB73103).
I'm thinking maybe sapgenpse might have some tricks to allow this??
Thanks for any guidance you can provide.
I take it you were looking for this: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Bill
That is the 'standard way' to do it --- my question is around step 3 where you generate a CSR, get it signed, and import the response. My IT department is hoping to just give me a signed cert to be used for the SAP system (and it is used for many other internal systems).
My working theory is to use sapgenpse to create a PSE file with the "import_p12" option and then to tell the ABAP stack to use that PSE for SSL. I am still waiting to see if the IT folks can provide a PKCS#12 cert file!
Eric
I would think you could just skip to this part of the process:
Importing specific
Maintaining
Because they are already offering you a certificate export you are installing the public/private certs/keys so your system will have a trust relationship with other systems. Generating a request is something typically performed when you or your company doesn't have access to the CA server. Either way works, I (and probably others too) find its easier to export a working certificate combo and just import it.
I do know that a PKCS#12 file can be exported from IIS/Windows, I think it will require the private key to also be exported with the certificate.
So, I got the pfx file from IT and was able to download the CA's intermediate and root certs from their support site and created a PSE!
Command line was
sapgenpse import_p12 -v -r "root.cer" -r "intermediate.cer" -p .\SAPSSLS.pse -z password-for-pfxfile "pfxfile.pfx"
My next challenge is how to get STRUST to recognize "this" PSE as the "SSL Server" PSE (when STRUST does it, the filename is SAPSSLS.pse)
Any ideas?
Hello Selvakumar
I ended up moving the SSL termination to an SAP Web Dispatcher (and not the ABAP system), in which case sapgenpse worked....
sapgenpse import_p12 -v -r "C:\SAPtmp\SSLCerts\GlobalSignRootCA-try2.cer" -r "C:\SAPtmp\SSLCerts\GlobalSignRootCA.cer" -p SAPSSL.pse -z xxxxxx "C:\SAPtmp\SSLCerts\xxxxx.pfx"
Eric
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.