Hi.

Let me give a bit clearer explanation.

Assuming you have previously setup SSL and HTTPS a Certificate Import is not to hard.

From whoever manages your Certificates they will give you three items.

1. Root Certificate     Root-R1.cer

2. Intermediate Certificate    gsorgsha2256.cer

3. Self Signed Certificate    southern.com.pfx

I upload these to my AIX server in a staged area   /SAP/stage/gscerts

Next copy these files to your  your SECUDIR as noted below.  Run sapgenpse from that area also.

Set your environment (in my case AIX)

setenv SECURDIR /usr/sap/SID/DVMB##/sec   (Use the actual values)

    setenv SECURDIR /usr/sap/FSB/DVEMB01/sec

You concatenate these 3 files in one string with the following command.

sapgenpse import_p12 -r Root1.cer -r gsorsha2256.cer -p SAPSSLS.pse southern.com.pfx

It will normally ask you for a Pin  that was given to you when they sent you the certificates.

This will produce a file called SAPSSL.pse   in your /usr/sap/DVMB##/sec directory.

Then you must run a 2nd step to generate a secure logon file.

sapgenpse  seclogin -p SAPSSLS.pse -O <SID> adm 

Copy the SAPSSLS.pse to your local computer.

Run strustssO2 and import the PSE Key.  Point it to your local computer and the SAPSSLS.pse file.

Double Click on the file, it will auto populate the next table.

Then click on 'Add to Certificate List .

Then click on add to ACL.  Enter the SID and Instance #.

Save. 

You must restart the ICM to get the new key read.

View the ICM trace file to ensure it finds the certificate.

I hope that helps. If you have questions, feel free to ask.

Sorry should of included that.

We are using sapgenpse to import the certificates that will reside on the SAP Web Dispatcher.

ECC 6.0 is our SAP release.

Hi,

Well, I don't know if this info will be useful to it but When I need to configure a signed SSL certificate for a SAP web dispatcher, I use transaction STRUST with option file.

When the signed certificate includes both a root CA and an intermediate CA, I have to extract bith these certificates in base 64 X.509 format and then using a text editor, concatenate the 3 certificates (signed certificate, intermediate CA and root ca) in a single base 64 file. Then I can import susccesfully this file in STRUST in the PSE file that I use for the Web dispatcher.

Tricky, but it works for me !

Regards,

Olivier

Ok, so how do you extract them to the base 64 X.509 format?

Below is the command we used:

sapgenpse import_own_cert -p <pse file to use> -c <server certificate> -x <your pin> -r "<root CA certificate>"

Hi,

>Ok, so how do you extract them to the base 64 X.509 format?

You just open it from windows (double click), go to the details tab and press the "copy to file" button.

Regards,

Olivier

Oh we have the raw certificate code already.

So are you saying take what's between the "Begin / End Certificate" and combine that code into 1 single file and then import?