cancel
Showing results for 
Search instead for 
Did you mean: 

Public Certificate Renewal

Former Member
0 Kudos
637

Dear All,

I have a request to renew our client public certificate as it is going to expire soon. I have generated CSR request and sent it to CA to get the CSR response.


We need to share the public certificate (once we import that CSR response then certificate should get renewed)with the vendors/banks.


We have planned the go live date on 7th May. I came to know from the banks/vendors that they need the renewed public certificate one week before the scheduled go live date to ready for the deployment at their side.


Now my understanding is that on the day itself we import the CSR response the public certificate will get renewed (meaning on 7th may, we will import the CSR response and certificate will get renewed because if we import the CSR response before 7th May then partners won't be able to receive the messages as we have told them that the go live will happen on 7th May)


Now, I want to know how can we provide the vendors/banks with the renewed public certificate one week before 7th May?



Regards,

Ankit

Accepted Solutions (1)

Accepted Solutions (1)

bhavesh_kantilal
Active Contributor
0 Kudos

Ankit,

The request from the vendors is valid.

So this is what you would need to do,

1. Export the existing KeyPair for which the CSR request was created and response received into local filesystem.

2. Import into a Standalone Key Support tool like : Keystore explorer :

http://www.keystore-explorer.org/downloads.php

3. Import CSR Response in this tool and share with Vendors / Banks.

4. On the day of the switch, you can then import this KeyPair into your PI NWA Keystore and remore the previous key pair.

If you do not want to use Keystore explorer you can also use the standard SAP NWA Keystore.

The SSL certificate is picked up using the corresponding KeyPair names and this can be changed on the day of the cutover, etc.

Regards

Bhavesh

suchitatomar
Participant
0 Kudos

Hi below are the steps to load keys and certificates.


Step 1.  Go to the NetWeaver Administrator page: http://<host>:<port>/nwa

Step 2. Log in to NWA.

Step 3. From NWA, enter "keys" as search query and press Enter

Step 4.  Click on Key Storage.

Step 5. On the Key Storage View select "TrustedCA" from the top rows.

Step 6. Click on "Import Entry" and select  Key Pair entry type.Please select the corresponding entry type depending on your own requirements.


Step 7. Browse to the key/certificate stored on your local file system or network, and specify the corresponding password. Click "Import" and verify if key was successfully imported by pressing the tab "View Entries" the new key to search. A new entry with your key name must appear on the list.


Step 8. From now on your applications (including adapter modules and custom adapters) running on top of the

SAP NetWeaver Java Application Server can use (certificates, public and private keys) keys stored on the "TrustedCA's" keystore.


Also refer link : Creating a Key Pair and Public-Key Certificate and Signing It - System Security - SAP Library

to get more details on this.

Regards

S Tomar

Former Member
0 Kudos

Thanks a lot Bhavesh for the provided instructions. I have gone ahead as per your instructions and shared the public certificate with partners. Now, on scheduled go live date, I will import the CSR response in our system and then check if we are able to transmit the messages to the partners successfully or not.

Keeping the thread open until that time.

Regards,

Ankit

Former Member
0 Kudos

Hi Bhavesh,

We have the renewed certificate with us but we see that the signing algorithm has been automatically changed from SHA1 to SHA256.

Do you know why this is so? Aren't SHA1 certificates applicable anymore or there is any option to select the signing algorithm as SHA1 only while renewing the certificate.

Anyone please comment.

Thanks,

Ankit

Former Member
0 Kudos

Anyone having an insight, please revert. It's urgent.

former_member182412
Active Contributor
0 Kudos

Hi Ankit,

The new certificates are using SHA256 algorithm only, your new certificate is using SHA256, check this link SHA1 Key Migration to SHA256 for a two tier PKI hierarchy | Ask the Directory Services Team


Server Authentication certificates: CAs must begin issuing new certificates using only the SHA-2 algorithm after January 1, 2016. Windows will no longer trust certificates signed with SHA-1 after January 1, 2017.

Regards,

Praveen.

Former Member
0 Kudos

Alright thanks Praveen.

Former Member
0 Kudos

Hi Praveen,

Today, I am able to import the CSR response and the certificates have been renewed successfully. But as you know the signing algorithm has changed from SHA1 to SHA256, I need to manually change the signing algorithm in AS2 channel as well. But I only see 2 options MD5 and SHA1, SHA2 should also be made available in that selection.

Does anyone know what I need to do now? It will not work until the signing algorithm is changed, how can the SHA2 parameter be made available?

Thanks,

Ankit

Former Member
0 Kudos

Hi Bhavesh,

Any clue?

Thanks,

Ankit

Former Member
0 Kudos

Does anyone has an insight please?

bhavesh_kantilal
Active Contributor
0 Kudos

Assume you are using Seeburger As2.

If you want sha2 support for as2 adapter this is support from seeburger version 2.2.1

SEEBURGER EDI-Adapter-Version 2.2.1 now available | SCN

Sha2 certificate can continue to be used for SHA1 signing of message as well. So till you upgrade seeburger version you will have to use SHA1

Former Member
0 Kudos

Thanks a lot Bhavesh for the response.

In our landscape, we are using Advantco not Seeburger. Does Advantco also support SHA2 algorithms?

As you suggested, SHA256 certificate based algorithm can continue to be used for SHA1 signing algorithm. Does it hold for Advantco AS2 as well, any insight?

If yes, I think we will not have any problem if SHA1 signing supports SHA256 certificate.

Thanks,

Ankit

Former Member
0 Kudos

Does anyone has insight please?

Former Member
0 Kudos

Any pointers please?

bhavesh_kantilal
Active Contributor
0 Kudos

Hello Ankit,

Unfortunately I do not have a direct answer to your question. Theoretically I don't see a reason as to why a SHA256 certificate cant be used as in a SHA1 algorithm, but then I am not a expert in SHA256 and security standards to that level.

A quick test of your scenario will have an answer.. You dont have a QA environment with this certificate?

Regards

Bhavesh

Answers (2)

Answers (2)

suchitatomar
Participant
0 Kudos

Hi Ankit,

Please refer below link for more details on this

Transition from SHA-1 to SHA-2 Certificates | Symantec

suchitatomar
Participant
0 Kudos

Hi ankit,

You can provide them but let them know that the import dates from your end will be over weekend ,so that even they can allign themselves in case any changes needs to be incorporated from there side as well.

Tell them that importing over weekend will not have much impact in case things goes wrong .Also share the roll out plan in case required.

Regards

S Tomar

Former Member
0 Kudos

Hello,

Thanks for the response. Here, my concern is the moment we import the CSR response at that moment itself, the certificate will get renewed. You know when the certificate gets renewed, the identifier will also get changed which we have to manually put in the communication channel.

So, the question is know if we are planning to renew on 7th May (i.e. importing CSR response) then how can we share the renewed public certificate with the vendors/banks before 1 week of go live date of 7th May?

Thanks,

Ankit

suchitatomar
Participant
0 Kudos

Hi ankit,

I understand your concern but there may b some process they too have to follow in order to be ready from there side for this change.

Better tell them the consequences which u just shared above, also get into call with the conserned team and explain them your point and ask them y actually they need it one week befr as they will b d right people to answr.

Regards

S Tomar

Former Member
0 Kudos

Hello,

I got to know that they need 1 week time to prepare and follow the process to be ready from their side.

I am not sure if asking them why they need 1 week time will help as it is their lead time.

I got to know there are some steps that we can follow to provide them the certificate even before 1 week, I am looking for those steps. If anyone has insight, please share.

Thanks,

Ankit