Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to Implement CA Root

Former Member

on ‎2013 Nov 04 4:08 PM

0 Likes
481

We have a great deal of external web services which we call from SAP via HTTPS. As consumers of the service, each time their certificate expires we have to wait until the provider renews it and re-import it. If we do not do this and the certificate expires we get SSL errors.

But surely SAP supports the idea of a CA Root? In that case we would only need to manage the certificate of the CA Roots (e.g. Verisign, Thawte etc.) and all signed certificates would be trusted. Is there a guide on how to implement this?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Former Member
‎2013 Nov 04 5:59 PM
0 Likes

The problem of expiring certificates exists regardless whether CA roots are stored in the SAP system or not. The reason being that the certificates of your providers also expire, regardless of the expiration of the CA roots. See the attached link for the only official document I'm aware of that talks about the issue, the topic being NWSSO however.

http://scn.sap.com/community/netweaver-sso/blog/2013/09/30/change-root-certificate-in-secure-login-s...

Show replies
Show replies
Former Member
‎2013 Nov 05 7:18 AM
0 Likes

Thanks. The problem is still there but it is much smaller: instead of managing 20+ certificates expiring at different times (every 3 years) I can manage a handful of CA certs which expire much less often.

Former Member
‎2013 Nov 05 2:24 PM
0 Likes

That's incorrect. You will have to trust also the root CAs used to sign the certificates of your providers and since they are not maintained by SAP, as you have found out, you have to manage them too. The document I linked to doesn't provide a solution, it discusses the problem.

Former Member
‎2013 Nov 05 3:28 PM
0 Likes

I don't see what you mean by "incorrect". I understand and agree with everything you just wrote: we manage our CA certificates and it's easier than managing individual domain certificates. Perhaps you could explain what you mean by "providers"?

Just to be clear: we are not concerned with issuing certificates but importing certificates of domains for which we consume web services.

Ask a Question