Skip to Content
Aug 07, 2018 at 11:29 AM

ABAP ICM/TLS: Multiple client authentication certificates from same root - browser selection popup


Hi experts,

at one of our customers, we recently performed migration to SAP SSO version 3.0 and installed a new Secure Login Server. The new SLS should be operated as a Sub-CA for an existing Enterprise Root.

In addition to the client certificates issued from the SAP SSO solution, the windows clients also had an existing client authentication certificate before, used for secure WLAN 802.1x. Both are part of the same certificate chain, thus the same Root CA.

Now since we installed the trust to the new Root CA on the SAP backends the users experience a certificate selection dialog when accessing ICF-services on the AS ABAP via the browser. This is correct behavior, anyhow only the correct certificate (the one from SLS) can be used to authenticate at SAP. The customers end users don't want to see the selection screen. Also, we are not able to remove the existing certificate.

For SAP GUI this isn't an issue, as we can use CAPI filters (Registry Keys) and/or enable the certificate profile in the Secure Login Client.

Question: Is there a way, on the AS ABAP backend (ICM) to influence the trusted client authentication certificates during TLS-handshake? Any kind of filtering for usage type, issuer, OID etc.? Maybe a way to filter out certs in the Browser via GPO etc? I wasn't able to find something so far.

I'm afraid that there is no solution to this problem, but try it here anyway ;)

Cheers, Carsten