cancel
Showing results for 
Search instead for 
Did you mean: 

SSL server cert import without CSR process

Former Member
0 Kudos

Hello SSL experts!!!

I understand that the standard process to setup SSL is to generate a CSR and then import the response. 

However, my company's IT folks have what they are terming a "global SSL" signed cert for *.<domain>.net"

For other internal IIS-based web applications they were able to import this certificate ~directly. 

In order to not have to purchase and maintain another signed cert, they would like for me to see if we can do the same thing with our ABAP ERP system (SAPKB73103).

I'm thinking maybe sapgenpse might have some tricks to allow this??

Thanks for any guidance you can provide.

Accepted Solutions (1)

Accepted Solutions (1)

bxiv
Active Contributor
0 Kudos
Former Member
0 Kudos

Hi Bill

That is the 'standard way' to do it --- my question is around step 3 where you generate a CSR, get it signed, and import the response.  My IT department is hoping to just give me a signed cert to be used for the SAP system (and it is used for many other internal systems).

My working theory is to use sapgenpse to create a PSE file with the "import_p12" option and then to tell the ABAP stack to use that PSE for SSL. I am still waiting to see if the IT folks can provide a PKCS#12 cert file!

Eric

Former Member
0 Kudos

It is possible but you will need the private key in addition to the cert(s) provided by your company IT. Ask your company IT to provide a .pfx or .p12 file, it will have everything for setting up SSL.

bxiv
Active Contributor
0 Kudos

I would think you could just skip to this part of the process:

Importing specific

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d0ba311786a50e10000000a42189c/content.htm?frame...

Maintaining

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/250a3467cd3895e10000000a421937/content.htm?frame...

Because they are already offering you a certificate export you are installing the public/private certs/keys so your system will have a trust relationship with other systems.  Generating a request is something typically performed when you or your company doesn't have access to the CA server.  Either way works, I (and probably others too) find its easier to export a working certificate combo and just import it.

I do know that a PKCS#12 file can be exported from IIS/Windows, I think it will require the private key to also be exported with the certificate.

Former Member
0 Kudos

So, I got the pfx file from IT and was able to download the CA's intermediate and root certs from their support site and created a PSE! 

Command line was

sapgenpse import_p12 -v -r "root.cer" -r "intermediate.cer" -p .\SAPSSLS.pse -z password-for-pfxfile "pfxfile.pfx"

My next challenge is how to get STRUST to recognize "this" PSE as the "SSL Server" PSE (when STRUST does it, the filename is SAPSSLS.pse)

Any ideas?

Former Member
0 Kudos

I'm not sure I understand the question. You can import the PSE file you have created into the respective PSE in STRUST.

Former Member
0 Kudos

Thanks Samuli --- I had used that option but the imported PSE just stayed in the 'working area' (my words) of STRUST - I was not sure how to make it be treated as the SAPSSLS.pse.  I now realize the SaveAs menu option does that (too many assumptions)!!!

0 Kudos

Hi Eric,

Can you you please provide all the steps,. I have similar requirement.

If possible, please add screenshot.

In my system SSL is enabled already. In this case, what i may have to do. (Delete the old certificate ? and import the PFX ? )

Thanks.

Former Member

Hello Selvakumar

I ended up moving the SSL termination to an SAP Web Dispatcher (and not the ABAP system), in which case sapgenpse worked....

sapgenpse import_p12 -v -r "C:\SAPtmp\SSLCerts\GlobalSignRootCA-try2.cer"  -r "C:\SAPtmp\SSLCerts\GlobalSignRootCA.cer" -p SAPSSL.pse -z xxxxxx "C:\SAPtmp\SSLCerts\xxxxx.pfx"


Eric

Answers (0)