Skip to Content
author's profile photo
Former Member

Reading Signed Document

Hi all,

I download a signed file to local with extension .p7s.

I've signed the document in server with FM SSF_KRN_SIGN_BY_AS.

If I open the downloaded file in my pc, I can see the Certicate which has signed the doc, but if I open the certificate there is a warning saying that Windows hasn't enough information to verify the Certificate...

If I sign the doc with my local app or using FM SSFS_CALL_CONTROL, I can see in downloaded file my Certificate, and a tree with the CAs that certificates my Certificate...

Why in the first way can't see that CAs tree? How can I see it to get the sign be ok?

Thanks in advance.



Add comment
10|10000 characters needed characters exceeded

1 Answer

  • Posted on Aug 21, 2007 at 12:13 PM

    Well, when using SSFS_CALL_CONTROL the digital signature operation is perform on the frontend (see ABAP program SSFSDEMO for an example).

    When using SSF_KRN_SIGN_BY_AS, however, the digital signature operation takes place at the application server (AS).

    When performing the digital signature operation on the frontend you are using one of the certificates (with corresponding private key) which are present in the keystore at the frontend PC. Microsoft Internet Explorer and the Microsoft Windows operating system are using the very same keystore - therefore it's not surprising that you'll be able to display the complete trust chain / tree (if the chain would be incomplete you would not have able to perform the digital signature operation).

    Most likely the certificate used at the backend is self-signed. In that case it's not surprising that you fail to validate the certificate at the frontend. The situation would be different if the certificate would have been issued by a CA whose root certificate is present in the keystore of the frontend PC.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Wolfgang,

      Thanks for your response!!

      I've read some doc about SSFG Function Group, I know that KRN functions allow you to sign at WAS and others at local, but I can't sign in local with p.e.: SSF_SIGN_BY_USER or I need to install external security product?

      What's the diference between using SSFS_CALL_CONTROL or SSFG FG¿? wich is better?

      Thanks, Wolfgang!