Skip to Content
0
Former Member
Nov 29, 2006 at 05:19 PM

HTTPS certificate exported from IIS fails to include intermediate CA cert

141 Views

Hi,

We are currently moving from EP 6.0 to EP 7.0 SP09, and are in that context moving the HTTPS termination from IIS to SAP Java AS.

The certificate was orignally created on an IIS server and signed by verisign.

I've done the following:

1. Export certificate from IIS to a .pfx file

2. Imported the .pfx file to the Key storage service under view service_ssl

3. Assigned the entry to the dispatcher via SSL provider service

HTTPS works pretty well. It sends the right certificate, but in IE I get the warning "The security certificate has expired or is not yet valid" (in firefox it works fine).

When I look at the certificate chain in IE, it is the Intermediate CA certificate "OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign" which is not valid (expired in 2004). Note that this problem was not occurent on IIS, since we here had a valid certificate chain on the server which was sent by IIS to the client.

This is not unexpected since my computer (and most of the other ones in the company ) haven't got an update certificate for this intermediate CA (as can be seen in the certificates mmc). (to distribute the new certificate will be the simple solution, but there are some clients we don't have controll over)

However, I believe the Java server should be able to send the entire certification chain.

I've tried to import the root CA and intermediate CA to both the TrustedCAs and service_ssl view in the Key store service, but nothing seems to help.I've turned full logging on ssl service on dispatcher, but no useful information.

So to summarize

Any idea on how I can get the whole certificate chain into SAP Java AS for the SSL certificate ?

Cheers

Dagfinn