Skip to Content
avatar image
Former Member

Manual Certificate Check "Certificate is not valid"

Hi Expert

I am working on enabling AS2 with x.509 Client Certificate Authentication.  On QA I made it work with certificates issued by Trusted center (e,g, VeriSign). Now, on Production the communication fails..

I went into the Certificates and Keys on NWA, I imported the same certificates in Production and QA in the same places (ICM_SSL* and TrustedCA keystore) and on Useradmin on users Certificate tab.

Now when I go in the Certificates Revocation Tab on the Certificate and Keys.   I run the Manual Certificate test


          Production

       QA

I was trying to understand how this tool works?,  I was trying to validate on the server if there where logs that pointed out the error but nothing.
I assume that the problem is on the server,  But I am kind of confused on the starting point.

Regards
Henry Lopez


production.PNG (29.9 kB)
QA.PNG (28.3 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 04, 2015 at 12:35 AM

    Hi Guys


    I run the Security Troubleshooting Tool, for the Certificate Test. And the error was

    IOException during accessing CRL at http://crl.entrust.net/level1c.crl [EXCEPTION] org.w3c.www.protocol.http.HttpException: The host name [crl.entrust.net] couldn't be resolved.


    I used The following  SAP documentation for updating proxy parameters


    http://help.sap.com/saphelp_nw74/helpdata/de/59/066bc9ce4d40df92ef6e7c5b6f8eaa/content.htm?frameset=/de/4b/94e92dea576e82e10000000a421937/frameset.htm

    And This SAP Documentation for configuring the parameters


    http://help.sap.com/saphelp_nw74/helpdata/de/47/b08f91542e3378e10000000a421937/frameset.htm


    After updating the the proxy parameters I run the check and the result is successful


    Regards
    Henry







    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 01, 2015 at 06:50 AM

    The first time a CR check is done , PI downloads the CRL list into the CRL Cache(the tab adjacent to the one in your screenshot).Check this CRL cache if there are any entries.

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 01, 2015 at 04:06 PM

    I think, you can not use same certificate for QA and Production, Because your server url/name would be different. If you checkout "subject" of your certificate, server name would be maintained there.

    You can check these details in SAP Netweaver Administration->Configuration->Certificates and Keys.

    You need new certificate for your prod server.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Ambuj.

      The certificate that I am using has on the subject an URL different from Production and different fron QA.  But this same certificate has an attribute call subject alternatives names, in this attribute the dnsname From QA and Prod is included.

      thanks for your reply

      Henry