Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
architectSAP
Active Contributor
9,824
In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 - Providing SSL certificates for domains defined in SAP HANA extended application services, ... and show the provisioning command, but do not go into much detail.

In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.

To start with, I create a server certificate for my HANA XSA system as usual:



This provides me with two crucial files:

  1. hxehost.dyndns.org.p12 (private key – Download to Firefox)

  2. hxehost.dyndns.org.pem (host certificate – Download PEM file)


Per SAP Note 2243019 - Providing SSL certificates for domains defined in SAP HANA extended application services, ... however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:



Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.

Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:
C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK

C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8

Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:
C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
1 file(s) copied.

Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:
C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem

Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.

After a restart, I got a Secure Connection to all my HANA XSA services for this domain:



This might have looked a bit tedious to start with, but now you got it. Well done.
7 Comments
Labels in this area