cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wildcard certificate import in Web Dispatcher generated outside option "Create CA request"

Go to solution
avijish
Participant

on ‎06-18-2021 11:52 AM

0 Kudos

Hi Experts,

Can we import " *.ourdomainexample.com" certificate with Intermediate and Root issued by our IT department directly to SAPSSLS.pse of our SAP Web Dispatcher to renew the expiring SAP Web Dispatcher server certificate or it is mandatory to create the Server certificate request via "Create CA request" option of PSE Administration UI - https://webdispatcherhost:port/sap/wdisp/admin

and get it signed by CA and then import it to said pse with Root and Intermediate certificates. I understand that latter is the standard process but is the first option a possible one. Will it damage the SAPSSLS.pse if imported directly and stop the SSL incoming connections. Please share the best option.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
‎06-18-2021 1:52 PM
0 Kudos

Hello Vijish,

You can follow the SAP KBA 2148457 to convert the certificate you already have into a PSE file, given that you also have the private key.

Then you should stop the Web Dispatcher, replace the SAPSSLS.pse with the newly created PSE, and start the Web Dispatcher again.

Regards,

Isaías

Show replies
Show replies
avijish
Participant
‎06-18-2021 2:40 PM
0 Kudos

Hi isaias.freitas

Thanks for answering my question, in this case where the SAPSSLS.pse will be replaced does this also mean I will have to export all certificates in it (Certificates listed as Element#1, Element#2....etc) and reimport it later on.

Regards

Vijish AN

isaias_freitas
Advisor
Advisor
‎06-18-2021 3:14 PM
0 Kudos

Hello vijish ,

You are welcome!

And yes, you would need to re-import the certificates in the "certificate list" at the new SAPSSLS.pse file.

I am not sure that there is an option to export those certificates, though.

Well, instead of creating a new "empty" PSE file, you could create a copy of the existing PSE file and import your new certificate into the copy, just so you have a backup of the current PSE file, in case something goes wrong.

Regards,

Isaías

avijish
Participant
‎06-21-2021 10:50 AM
0 Kudos

Hello isaias.freitas

Thanks for getting back, I was planning to backup the sec directory which has the original SAPSSLS.pse and try the import on the copy of SAPSSLS.pse and restart web dispatcher which will read the new sec/SAPSSLS.pse(created using the pfx wildcard certificate). In case something goes wrong will reverting the sec directory backup along with the original SAPSSLS.pse preserve the settings.

isaias_freitas
Advisor
Advisor
‎06-21-2021 1:13 PM
0 Kudos

You are welcome, vijish !

And yes, it is always best to create the backup first, so you can restore it in case something goes wrong ;-).

avijish
Participant
‎06-22-2021 10:19 AM

Hi isaias.freitas

Your answer has helped my case. adding to your response.

"And yes, you would need to re-import the certificates in the "certificate list" at the new SAPSSLS.pse file.

I am not sure that there is an option to export those certificates, though"

The existing certificates can be backed up by displaying the list of certificates as pem (rather than default text) and copy the begin-end certificate block to a notepad and import it later if required. Hope it works later though 🙂

Also as per your response "Well, instead of creating a new "empty" PSE file, you could create a copy of the existing PSE file and import your new certificate into the copy, just so you have a backup of the current PSE file, in case something goes wrong."

I tried copying the existing sapssls.pse to import the wildcard certificate pfx but it doesnt import stating that pse already exists(see below). Only option was to generate a new sapssls.pse. Hence I believe once I replace this newly generated sapssls.pse with the original sapssls.pse and restart Web Dispatcher I will have to reimport required certificates, could you please confirm if this is correct.

isaias_freitas
Advisor
Advisor
‎06-24-2021 5:38 PM
0 Kudos

Hello vijish ,

Thank you for sharing your findings!

And yes, now you can simply stop the Web Dispatcher, rename the current SAPSSLS.pse (with the old certificate) to something else, and rename the new PSE (which has the new certificate) to SAPSSLS.pse.

Once the Web Dispatcher is started, it will load the new certificate.

Regards,

Isaías

chris_mckay2
Participant
‎06-09-2023 3:16 PM
0 Kudos

Thank you for this information. We also will be going through this for our next certificate renewal. If we have more than one webdispatcher would the newly created SAPSSLS.pse file work on any? Meaning we could simply just copy that new file to any of the systems and it would work?

Answers (0)

Ask a Question