Skip to Content

Public Certificate to setup external SSL Trust to Web Dispatcher

We've setup a Web Dispatcher in our DMZ to enable Fiori to connect through our firewall to a backend Gateway System. When we run to hit that DMZ server it needs a certificate for * that says that site can be trusted and has been signed by a Certificate Authority. My company uses COMODO RSA to do that signing. I have their three crt's for setting this up:


I've tried every sapgenpse import_own_cert method I can think of and none of them work. They all seem to conflict with my Old Certificate in the PSE. I get the error, "No certificate with your public key found in supplied input". That Old Certificate has CN=<FQHN> in it.

Does anyone have an example of how to setup COMODO with sapgenpse?

Do I use the Server PSE (SAPSSLS.pse) or the Client PSE (SAPSSLC.pse)?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Feb 10, 2017 at 03:47 PM

    DISCLAIMER: I am new to this and barely understand how it all works but I did get it to work. The Fiori App on you phone will not work if HTTPS is not successful. For the first time, I'm connecting my Fiori App to my backend system inside of our firewall. Wohoo!

    First, my company Web Support Team provided me with a STAR_abc_com.pfx certificate. This is the certificate that says all URL's to * are trusted and have been signed by a CA. My first attempts to load that pfx with sapgenpse failed.

    sapgenpse import_p12 -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

    import_p12: Sorry, but certificate chain is incomplete, need certificate of 'CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, SP=Greater Manchester, C=GB'!

    To solve this error, I used the import_p12 command but added my COMODO certs to the string with -r entries. It looked like this:

    sapgenpse import_p12 -r /tmp/COMODORSAOrganizationValidationSecureServerCA.crt -r /tmp/COMODORSAAddTrustCA.crt -r /tmp/AddTrustExternalCARoot.crt -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

    The -r values must proceed the -p value or you'll get syntax issues when they are at the end. Also, you need all three certs in the sting. If you just do one, or two of them, it will fail saying it misses the other.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 11, 2017 at 03:57 AM

    Thanks, Richard. The solution that you have given works.

    Add comment
    10|10000 characters needed characters exceeded