Skip to Content
avatar image
Former Member

STRUST, SSL Cert is not found

Hello experts. I have been doing basis for a number of years.. but STRUST seems to be beating me. Your help will be greatly appreciated.

In our WebAS NW ABAP system we have some web pages we want to access through HTTPS .. ICM seems to be configureed correctly.. HTTP and HTTPS are both running on the ports configured in RZ10. The web pages work correctly, except that they don't pick up the SSL Server Certificate installed through STRUST.. IE and Firefox both only show the base certificate produced by the server itself.. and therefore is not trusted.

I have read (and followed) the help files and the Wiki here in SDN (https://cw.sdn.sap.com/cw/docs/DOC-27593?treeid=DOC-8319 and https://cw.sdn.sap.com/cw/docs/DOC-12391) as well as note 510007 (and a bunch of others). Several other basis folks have looked over my shoulder. We generated a Paid for SSL Certificate at the SAP Trust Center.. and that did not work for us.. the advice from there was to do the work over .. which has been done several times.. I truely think I am following the process but it is still not working.

I am now trying to use the Test SSL Certficates to confirm my work before I again order SSL Certs from SAP TCS.

1st.. Am I correct that a Web Page, hosted by our WebAS ABAP system only needs a Server SSL and not a Client SSL certificate in order for HTTPS web pages to be processed correctly?

assuming i am

2nd.. does anyone have a really detailed procedure I should follow for setting up these SSL Certificates properly? I know the help and the Notes are supposed to be doing that for me.. but I seem to be making some basic error due to ignorance or just missing a key point.

I have set up SSL several times in Web Dispatcher without a problem. This is my 1st time doing so in STRUST.. i expected it to be easier.. but somehow, for me, this time it isn't.

Thank you in advance

Steve Pustell

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    Aug 24, 2010 at 06:59 AM

    Hi,

    The web pages work correctly, except that they don't pick up the SSL Server Certificate installed through STRUST.. IE and Firefox both only show the base certificate produced by the server itself.. and therefore is not trusted.

    When you setup your SSL standard server certificate, make sure the CN is the FQDN of your SAP system as seen by and connected to from your browser clients.

    Also, depending on whether you use this system with a Web Dispatcher or not(and how you have configured Web Dispatcher), connecting to it directly through a browser would show an unrecognized host if the SSL certificate has the FQDN of the Web Dispatcher system(on another host).

    You should be able to view the certificate in your browser, if the hostname in the certificate does not match the FQDN of the server you are connecting to you will get an error. Check SMICM -> Goto -> Trace File -> Display All ...for more information on the issue.

    Nelis

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 23, 2010 at 06:00 PM

    Hi Steve,

    Have you restarted the ICM process after importing the certificate response?

    If you are using the message server port for HTTPS, then only restarting the entire application server will make the certificates available.

    I hope this helps.

    Best regards,

    Cristiano

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 24, 2010 at 01:05 PM

    Hello All

    Cristiano shared his desktop and let me watch as he applied a test certificate to one of his systems.

    The component I was missing was how to include the SERVER CA root certificate with the Test Certificate in order to successfully generate a valid (not self signed) SSL certificate. (if you are doing this don't forget to add the root certificate to your IE Browser as a trusted root certificate authority as well).

    Now that I can generate a test certifiate which is valid, things are working well.

    Since I did not find this procedure anywhere in the guides and wikis and online help.. I will write up the steps we did and add it to this thread.. I won't mark the thread as answered until I have done that.. eventhough I am now indeed past my problem. Many thanks to those who read and made suggestions.. and to Cristiano for your time to walk me through this process.

    Steve P

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 06, 2010 at 10:13 AM

    Hello,

    Have you managed to write up that documentation?

    I'm having a pretty similar error except when I sign the certificate (using our internal CA) no webpages no longer work.

    I gather this is due to having a wrong FQDN, but I'm unsure on how to change this.

    This is what I do.

    In STRUST, I generate a ticket (SSL Server Standard -> Create)

    I fill in the requirements (so for CN --> *.domainname.extension) and then generate the certiicate (so CN now has hostname.domainname.extension).

    When I use https (port 443), everything works. I receive the "Certificate not trusted" warning.

    However, we want to get rid of this warning, which is why we're signing the certificate using the Microsoft Certificate Server.

    This is how I do it:

    In STRUST I click on the certificate and choose "Generate certificate request"

    I then log onto the certificate server with user SAPService<SID> (I'm not even sure if I'm supposed to login with that user ID, but it seems logical to me).

    I then goto:

    - Request a certificate (--> Next)

    - Advanced Request (--> Next)

    - Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file (--> Next)

    - Paste my certificate request into the text box provided (--> Sumit)

    I'm then presented with a certificate response file (choose base64 -> save onto Desktop -> Open certificate with notepad, copy the certificate response).

    go back to SAP system --> STRUST

    Then i click on "Import Cert. Response" and paste the response code into the textbox.

    NOW... the 'normal' certificate changes (CN and everything changes --> CN is now the FQDN of the certificate server.. oddly enough).

    Now, after restarting ICM, I try the HTTPS url again.. and I cannot even connect to the page anymore (hostname not known).. which is probably because of the wrong CN hostname in the certificate in STRUST.

    I'm a bit baffled here.. I'm not sure how to change this CN= stuff. And I'm not even sure why the certificate response is actually changing my certificate.

    Any help would be appreciated (and I hope no one takes offence for the little thread hijack.. I just thought it seems like a similar problem). I've search for hours on end.. and cannot find a proper way to do this using an internal CA server (not a REAL (paying) CA).

    Thanks in advance.

    Kind regards,

    Ryan.

    Add comment
    10|10000 characters needed characters exceeded