cancel
Showing results for 
Search instead for 
Did you mean: 

SSL .csr file not being accepted...Please guide

Former Member
0 Kudos

Hello All,

We have configured our portal server on SSL.

To generate the CSR, I followed all instruction I found on SDN and have got a .csr file.

Wanted to try the SAP Trusted Test Certificates before purchasing one, so I went to site: https://service.sap.com/tcs

Under the Test Certificate, I paste the contents from the generated .csr...starting with -


BEGIN NEW CERTIFICATE REQUEST--- and ends with -


END NEW CERTIFICATE REQUEST---

I select server type as 'Web AS 6.20 & newer' and click on 'Continue'

At this step I get an exception saying "The Distiguished Name (DN) in the request for the Test Server certificate contains invalid characters or an email address "

CN = EP1

Please guide me on this.

Pleae dont send me links on this as I have read almost all of them but they do not answer my query.

Awaiting Reply.

Regads,

Ritu

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member698570
Active Participant
0 Kudos

Hi again,

I had another look at your initial question:

Do you just want to test ssl on your server?

There is no need to sign the certificate. For test purposes you can also cope with the one you created in the Key Storage. All you have to do after generation is configure the new certificate as default ssl credential in the SSL Provider Service > TAB Server Identity

You see the enabled credential at the bottom of the window. Klick on Add in order to replace the existing credentials with the ones previously created (They have to be created in the service_ssl view of the Key Storage Service so you can use them)

The difference is just that the certificate is now self signed and not signed by any CA and you will get an error message when accessing your server via https since the CA is not trusted. But you can ignore this message and go on in order to use SSL.

Cheers

Former Member
0 Kudos

Hello Marcel,

Referring to your previous reply, if I add this new certificate in the SSL Provider service, will it hamper the SSO which has already been configured using 'http'?

We are working on Solaris and I dont know about OpenSQL either.

In this situation, what do you suggest.

Awaiting Reply.

Regards,

Ritu

Former Member
0 Kudos

Hello Marcel,

The intention is just not to test the certificates but to learn the working of it.

We have implemented SSL on our dev, quality and prod system and we want to trust the SSL certificates for each of them.

1. Portal SSL certificate (7.0)

2. Backend SSL certificate (ECC 6.0)

We are using the integrated ITS

So do we need to generate a seperate certificate for ITS and ECC or just one for ECC will be fine?

As per what we think, it should be just one but again, we dont want to take any chances or loose days in getting a seperate certificate for ITS, if needed.

Our management has decided to get them trusted from SAP, following site http://services.sap.com/tcs

On this site, while entering the details of server, the first parameter is URL.

Do we need to give just the message server name like EP1 or should be a FQDN?

Since we had too many questions on mind, I thought to test and understand the process (using Test Certificates) before purchasing the same.

Any thoughts on this?

Regards,

Ritu

former_member698570
Active Participant
0 Kudos

Hi again,

this is a bunch of questions.

I'll try to answer one by one:

Referring to your previous reply, if I add this new certificate in the SSL Provider service, will it hamper the SSO which has already been configured using 'http'?

If you have implemented SSO using SAP Logon Tickets than it will still work. The SSL Credentials are just used by the server to establish the SSL connection (handshake etc.)

We are using the integrated ITS

So do we need to generate a seperate certificate for ITS and ECC or just one for ECC will be fine?

So this means that you have a ECC System and an integrated ITS?? I'm not so familiar with this setup but I guess one certificate for ECC will be fine. As far as I know the HTTP Communication to the SAP System is handled by the ICM and I don't know what the ITS is used for in this scenario?

Our management has decided to get them trusted from SAP, following site http://services.sap.com/tcs

On this site, while entering the details of server, the first parameter is URL.

Do we need to give just the message server name like EP1 or should be a FQDN?

In the CN field you will have to provide the FQDN of your server. this has to be the external name as requested in your browser. So if you are behind a proxy or load balancer etc. you have to provide the external name as requested by the client and not the internal name of your host within your internal network. If the Common Name differs from the servername used in the URL you will get an error message because the names CN <=> ServerName do not match. You can ignore this message and will still be able to use SSL communucation but you surely want to avoid these kind of messages right??

Why does your management want the certificates to be trusted by SAP? I'm not sure if the SAP CA is an official Trust CA which is known by the browsers. If it isn't it means that you will get an error message saying that the Issuer of the certificate is not known as if you were using your own CA or as if your certificate was selfsigned. You will get this error message everytime you access the site unless you import the root CA into your browsers. Do you want that?

Is this for internal use only or will your site be accessed by external clients too??

Please don't forget to reward points for useful answers. You can reward points for every single answer in your thread

Let me know if you need further assistance

Cheers

Former Member
0 Kudos

Hello Marcel,

Thanks for all your answers.

I am currently discussing the same with my team.

In case of any more queries, Ill ask you or close this thread giving you full points.

Thanks a tonne for helping me.

Regards,

Ritu

Former Member
0 Kudos

Hello Marcel,

Referring to your reply above, is Verisign a better option than SAP TCS?

To test the working of SSL certificates, I have used the 8 weeks validity Test SSL Certificates from SAP TCS site.

I have uploaded the certificate in Visual Admin -> Key Store

It is working half way as expected like:

When I view the certificate, values shown are like:

Issued to = <FQDN>

Issued By = CA

Valid from = 27/06/2008 to 26/08/2008

Question:

When I acess backend system (like a ESS/MSS link) via Portal, I get a prompt saying that "Windows cannot validate the certificate coming from <FQDN>.

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk.

Do you want to install it?

Looking at this, its clear that we cannot consider the test certificate as a real trusted certificate.

But if in case I do install this certificate, will it cause any issues?

Any thoughts on this.

Awaiting Reply.

Regards,

Ritu

former_member698570
Active Participant
0 Kudos

Hi Ritu,

here we go...

Referring to your reply above, is Verisign a better option than SAP TCS?

I guess so. Verisign is an official trusted CA and the root certificate is known by the browsers so you won't have to worry about validation errors! You can also use Thawte. I think Verisign and Thawtee are the ones that are mostly used (as far as I know)

To test the working of SSL certificates, I have used the 8 weeks validity Test SSL Certificates from SAP TCS site.

I have uploaded the certificate in Visual Admin -> Key Store

It is working half way as expected like:

When I view the certificate, values shown are like:

Issued to = <FQDN>

Issued By = CA

Valid from = 27/06/2008 to 26/08/2008

Question:

When I acess backend system (like a ESS/MSS link) via Portal, I get a prompt saying that "Windows cannot validate the certificate coming from <FQDN>.

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk.

Do you want to install it?

Looking at this, its clear that we cannot consider the test certificate as a real trusted certificate.

But if in case I do install this certificate, will it cause any issues?

You can install it. It will not cause any issues. You decide whether it is trusted or not. If you create you own CA to sign certificates they are trusted as well because you know where the certificates come from. It's just that the browsers cannot verify the authenticity because the CA is not known. The problem is that you can only install the certificate on your machine and everyone else who accesses your server will get the same error message and you cannot expect those people to trust the certificate unless you inform them. If you click install the certificate will be added to the trusted CAs in your Browser. If you want you can remove it at any time.

Hope this helps

Cheers

former_member698570
Active Participant
0 Kudos

Hi,

is your Certificate Request in PEM Format and contains the Base64 encoded certificate information?

Does your CN really look like this CN = EP1 (containing spaces??)

Try the following (I hope you have openssl installed, otherwise when using Windows download xampp or the openssl distribution for windows). This is a very useful tool when working with certificates.

When installed type the following:

> openssl req -noout -in ca.csr -subject

What is the output?

It should print the subject of your Certificate Request.

If you do not have openssl you can paste the contents of you CSR here and I will check it for you.

If we won't get it working I can guide you through creating your own CA and signing the certificates by yourself. You will then be able to import it in J2EE and use it as server certificate for your portal

Hope this helps

Cheers

former_member698570
Active Participant
0 Kudos

Maybe it also helps to just change the header and footer in your CSR to

-


BEGIN CERTIFICATE REQUEST-----

...

-


END CERTIFICATE REQUEST-----

instead of ...BEGIN NEW... and ...END NEW... (I've never seen this actually)

Cheers

Former Member
0 Kudos

Hello Marcel,

Thanks for your prompt reply.

Am sorry as I will not be able to paste the certificate content here...due to security reasons.

So may you please guide me through the process.

I referred to a SDN blog for this: /people/aniket.tare/blog/2005/03/22/ssl-certificate-installation-procedure-for-sap-j2ee-engine-630-150-steps-in-visual-administrator

Awaiting Reply.

Regards,

Ritu

former_member698570
Active Participant
0 Kudos

Hi,

do you have openssl? Did you launch the openssl command to check the subject of your CSR?

Did you try to exchange header and footer of your CSR and retry to generate the certificate response on the SAP website?

You need openssl so I can guide you through the process of creating your own certificates.

What do you mean with "for security reasons?"

It's just a certificate request (there is no key in it)? The resulting certificate will be public anyway.

Cheers