Skip to Content

Secure Login Server 3.0 - Remote CA Configuration

Hi guys,

after upgrading SLS to SP02 my Remote CA setup is no longer working. I removed all configurations and started from scratch to figure out what could be the issue.

I followed latest manual and SAP Note 2375797.

Created the destination with https://<URL> and WITHOUT the "/certsrv" in the NWA. Ping is successfully.

Tried with Basic Auth or a PFX with specified JAVA keystore - tried also with 1024 bit keysize - no difference, the Remote CA test fails and i cant enable the Remote CA in the SLAC.

In the logs i was able to find the following:

Looks as if the requested resource does not exist, which is true. The "/certsrv" is missing here. Does not help to append this to the destination configuration.

What else could be wrong in the setup? Please note I just upgraded to SP02 and it worked before.


1.png (119.9 kB)
2.png (155.0 kB)
3.png (102.7 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Sep 17, 2017 at 04:31 PM

    Update (to myself and others having this issue): now resolved!

    I was able to figure out in the ADCS event log that my user has no permission on the template. instead Autoenrollment (as mentioned in the doc) you need to assign "Enroll" as well for your SLS user requesting the certificates. Now everything works and the SLS user is authenticating against the ADCS using a client certificate as well!

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 17, 2017 at 04:23 PM

    Update: Changed the url and appended /certsrv to the url e.g. https://adcs.domain.local/certsrv

    Was able to ping destination

    Now i got following error in the traces: iaik.asn1.DerInputException: Next ASN.1 object is no SEQUENCE!

    Any idea?



    Add comment
    10|10000 characters needed characters exceeded

  • Mar 11, 2018 at 06:28 PM

    Hello Carsten

    you seem to be one of the few configuring the scenario of remote CA. Can you please clarify me if this scenario let the secure login server to populate the table USREXTID in the SAP AS once the certificate is expired?

    if not what is the pourpose of remote CA?

    thank you.


    Add comment
    10|10000 characters needed characters exceeded

    • Dear Bruno,

      "A Secure Login Server Remote CA is a Web service of an existing enterprise PKI solution that allows client certification requests to be signed by the PKI instance instead of Secure Login Server. Secure Login Server only forwards the client request, and cares for proper authentication and name mapping." [Source: SAP Note 2375797]

      The SLS Remote CA eliminates the need to operate and secure a key pair (CA) on the SLS itself. Instead the clients (users) requesting certificates for SSO are forwarded to the original CA operated behind the SLS and connected via Web service. This has to be seen independent of a user mapping in any table of the AS ABAP backend system and has nothing to do with it.

      Cheers, Carsten