04-20-2012 9:38 AM
Hi All
The verisign certifcate in my portal is about to expire and am struggling to find definitive instructions on how to replace it. I know I need to generate a CSR request from my portal and send it off to verisign and then import the response. But I have 4 server nodes and am not sure whether I need 4 CSR requests or can just generate 1. I also know I need to import the response into all 4 of my server nodes.
My problem is if I generate a CSR request before the verisgn certifcate actually expires then it may not have the correct information in it as the service_ssl in my Visual Admin already has verisgn information in it.
Has anyone replaced an existing certifcate before and can help me out please?
Thanks
Steve
04-20-2012 10:58 AM
Hi,
you need just one request because all nodes correspond to one hostname. I don't understand your comment about not being able to generate request in advance. A SSL certificate is issued for a hostname. So you can request another certificate for same hostname and when you get it you can immediately replace old certificate with new one.
Check also SAP documentation about enabling SSL.
Cheers
04-20-2012 10:58 AM
Hi,
you need just one request because all nodes correspond to one hostname. I don't understand your comment about not being able to generate request in advance. A SSL certificate is issued for a hostname. So you can request another certificate for same hostname and when you get it you can immediately replace old certificate with new one.
Check also SAP documentation about enabling SSL.
Cheers
04-20-2012 11:50 AM
Hi Martin
Thanks very much for your reply it confirms that I should only need one CSR request for all four nodes. As for the second part I'll try and explain it better. The certifcate is for the URL that the users use to access the portal. In VA - Key storage - service_ssl I have two entries for my portal.
PRD_XSS & PRD_XSS-cert. Selecting PRD_XSS I can create a CSR request file wheras PRD_XSS-cert I cannot. But the PRD_XSS already has a verisign certifcate which expires in June. My worry is if I create the CSR request it will use the versign information in the existing one to create the request and not our company information that was contained in the original request 3 years ago. I have inserted an image view of my VA to try and illustrate this.
Its the OU= bit I'm worried about as it should contain our comany info not verisign info in the CSR I think.
Thanks
Regards
04-23-2012 12:08 AM
It shouldn't use any values from CA. So what is OU equal to in that certificate? On your screen shot I can see only values from section CA. Obviously, these values came from CA that signed your cert. In this case it's Verisign. Just to be sure when you go to your site what certificate do you get? You can check in your browser fingerprint of certificate. Find this certificate in key storage and you need to replace it with new certificate. The new certificate should have exactly same organizational values as the old one.
Cheers