cancel
Showing results for 
Search instead for 
Did you mean: 

Importing root certificate in NWA

Former Member
0 Kudos

Hi all,

I am configuring SSL for LDAP connection in SAP NW CE 7.3. My LDAP is Microsoft Active Directory 2012 from where I downloaded the root certificate. Then I navigated to NWA - Certificate & Keys - Trusted CAs - Import Entry where I imported the certicate in X509 format. However when I 'Validate Configuration' in NWA - Identity Management - LDAP Server, I get below error:

Validation failed. Technical detail: No connection to the ldap server: <server>:636 CausePeer certificate rejected by ChainVerifier RootCause:Peer certificate rejected by ChainVerifier

I'm doubting maybe the certificate is not valid. Can you please advise how to resolve this.

regards.

Accepted Solutions (0)

Answers (3)

Answers (3)

AntalP
Product and Topic Expert
Product and Topic Expert
0 Kudos

please check if the LDAP SSL certificate chain is complete. it is required to import all items in the certificate chain. Check the AD root certificate, if the issuer and subject is the same, it is a root

certificate, otherwise the issuer certificate also has to be imported.

Former Member
0 Kudos

Hi all,

thnx for your replies

The notes have not been useful. I tried a few things but didn't work.

I'm suspecting the issue is still with the certificate.

Antal,

Can you please give more details how to check this certificate chain and how to import the certificate(s) properly?

regards

AntalP
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Suraj,

view the SSL certificate in NWA - Key storage service and check the subject and issuer fields:

Certificate1

     Subject name <AD host name with domain>

     Issuer name    <cert1_issuer name> --> points to Certificate2

Then you need the certificate from the authority <cert1_issuer_name>

Certificate2

     Subject name <cert1_issuer name>

     Issuer name    <cert2_issuer name>  --> points to Root certificate

In case of a root certificate the subject and issuer are the same:

Certificate_root

     Subject name <cert2_issuer_name>

     Issuer name    <cert2_issuer_Name>

The certificate chain is complete when all certificate are present. It can be an SSL certificate signed by a root CA directly, the middle certificate is not required.

Best Regards,

Antal

Former Member
0 Kudos

Hi Antal,

Sorry for late reply.

Pls see below the certificate details in my server:

Do you find something wrong?

I guess the cert is still not correct. Do you have any procedure how to acquire the certificate from the AD server?

regards.

AntalP
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Suraj,

I was out of office and can check this thread now.

I cannot see your attachment, please check following links:

How to enable LDAP over SSL with a third-paty certification authority

http://support.microsoft.com/kb/321051

https://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+D...https://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+D...

Best Regards,

Antal

Sriram2009
Active Contributor
0 Kudos

Hi Suraj

Kindly go thru SAP Knowledge Base Article

1758780  - SSL connection to LDAP server fails with iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

1862321  - SSL handshake fails with 'Extension error: keyusage does not allow certificate signing'

Thanks

Ram

Former Member
0 Kudos