Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to create SAP server pse with Let's Encrypt cert inside

former_member213255
Participant
‎2021 Jul 05 4:46 PM
5,218







5 Simple Steps to Migrate Let's Encrypt Certificates (certbot) to a New Server SAP — Википедия

Intro


There are already several articles on how you can create Let's encrypt cert for your SAP system. What I was able to find are either very long and complex or with CSR sign approach. Below we will create server wildcard cert in pse with short simple steps with help of the official ACME client - Lego and DNS-01 challenge.

 

Step 1 - Get your Let's Encrypt cert chain.


I assume that Lego client is already downloaded according to the official instructions. We will use DNS-01 challenge to confirm our DNS record (Lego Client also supports other types if you wish). More details can be found here 

Execute lego command (example below):
./lego --email="maxim.afonin@rap.com" --domains="*.dev.wooo.dem.rap" -dns="manual" run

this will generate for you DNS-01 ACME challenge and execution will pause until you update your DNS record with TEXT field. Once it is done you can hit next and after challenge is verified you will receive your cert chain, that will consists of the following objects:

  • _.dev.wooo.dem.rap.crt is the server certificate (including the CA certificate)

  • _.dev.wooo.dem.rap.key is the private key needed for the server certificate

  • _.dev.wooo.dem.rap.issuer.crt is the CA certificate

  • _.dev.wooo.dem.rap.json contains some JSON encoded meta information.


 

Step 2 - Generate pfx archive with openssl client


A .pfx file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

Execute the following command line:
openssl pkcs12 -export -out certificate_wide.pfx -inkey _.dev.wooo.dem.rap.key -in _.dev.wooo.dem.rap.crt -certfile _.dev.wooo.dem.rap.crt

This will create for you certificate_wide.pfx file

 

Step 3 - Get Let's encrypt root certificate


Before you can create your pse storage, you need also to download let's encrypt root certificate either from browser or with openssl:
openssl s_client -showcerts -verify 5 -connect letsencrypt.org:443 < /dev/null



Step 4 - Generate SAP PSE file


Now you can create your server PSE pout of this pfx archive:
sapgenpse import_p12 -r _.dev.wooo.dem.rap.crt -r letsEncryptRoot.crt -p SAPSSLS.pse certificate_wide.pfx

This will create for you SAPSSLS.pse that can be used with SAP Web Dispatcher or SAP ABAP\JAVA instances, or any other place where pse format is used 🙂

Step 5 - Apply pse for the system


As an example we will use this PSE for the ABAP system.
The only thing that is required (steps):


 

P.S. For the Web Dispatcher it even easier. We just need to copy this pse with correct permissions to the /usr/sap/<SID>/W<InstNumber>/sec folder and restart the Web Dispatcher.

This is one of the most simple and straight forward way to request an Let's encrypt certificate. This one will live for 90 days. So you need to renew you certs later on.

P.P.S. Lego tool available in container, and it can be integrated with quite a lot of DNS service providers, so the whole process can be automated via CI server for example.

 
Labels in this area
Popular Blog Posts