cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to sign a SSL Certificate

Former Member

on ‎09-01-2004 8:34 PM

0 Kudos

Hello,

I've generated my SSL CSR file on EP 6 SP 2 Patch 4 HF 6 and are now attempting to have the file signed by Verisign. We are having a problem at Verisign with which certificate type we should supply, (i.e. Microsoft, Apache, etc...). Anything we try generates an error that there is an invalid character in the Common Name. Our CN = www.xx-helpout.athome.com.

What are others supplying for a certificate type when signing certs? Is there a limit with SAP in generating csr files with hyphens?

Thanks!

John

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-22-2004 3:59 AM
0 Kudos

Hello folks,

Your posting is similar to an issue I have i.e. trying to submit a CSR to Verisign and not working.

I have generated a CSR using sapgenpse get_pse in command line mode. I am doing this for our web dispatcher which is used to connect to our back end CRM system.

Anyways, when I submit the CSR to Verisign, it is rejected because Verisign says the state is missing. Does anyone know what syntax should be used for state ?

E.g. of my sapgenpse get_pse command

sapgenpse get_pse -p SAPSSLS.pse -x password -r cert.req "CN=fqdn.company.com, OU=org, O=CompanyName, L=location, S=state, C=country"

I even tried ST=state but ST is for street apparently. Either way Verisign for accept this CSR due to the missing state.

Has anyone encountered this issue.

Thanks,

Ramesh

Show replies
Show replies
Former Member
‎10-20-2004 2:17 PM
0 Kudos

Sorry that I have not responded, I have been swamped lately.

How are you putting in your state? Are you putting in the 2 letter abrev. or are you spelling it out.

I have been spelling mine out. You have to think about why, then it made sence. If a company overseas is looking to see if you are real, are they going to know what PA or NM is?

deidre_logan
Participant
‎10-17-2006 5:26 PM
0 Kudos

did you all solve the issue with getting a CSR signed by Verisign. I am getting the state error too.

I provided S=Ohio and S=OHIO and they both failed with the State is missing.

Thanks,

Dede

deidre_logan
Participant
‎10-17-2006 6:17 PM
0 Kudos

I found the solution to the State on the verisign signed CSR in another thread. You have to use SP= for the state. so SP=Ohio worked for me.

Former Member
‎09-02-2004 12:36 PM
0 Kudos

We get ours from InstantSSL in the UK. They are fast, and easy to deal with. This is their instructions:

General Points to remember before creating your CSR:

The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an Instant SSL Certificate issued for comodogroup.com will not be valid for secure.comodogroup.com. If the web address to be used for SSL is secure.comodogroup.com, ensure that the common name submitted in the CSR is secure.comodogroup.com

The hyphen should not matter imo. Is this server connected drectly to the outside world? By the way you have the address there it might not. If that is the case then all of the servers in between that one and the outside must have a Cert so the chain is complete.

Show replies
Show replies
Former Member
‎09-02-2004 2:58 PM
0 Kudos

Thanks David,

How did you sign your certificates? With PKCS 8 or PKCS 12?

Former Member
‎09-02-2004 3:07 PM
0 Kudos

I have my signed PKCS 12 certificate into the Keystore. Now I need to load this certificate into the SSL Service. My problem is I can't tell which certificate is mine from the list displayed. All is see under Enabled Suites is SSL_RSA_WITH_NULL_MD5 and various others. How do I tell which cert is mine?

Thanks,

John

Former Member
‎09-02-2004 4:42 PM
0 Kudos

On my EP5 set up I had the same confusion.

SAP has docs on this but sometime they conflict and cause brain tumors.

This is how I did mine.

IIS 5.0 send out your csr and get it back. On the web site import ther certificate.

On J2ee I used a self signed certificate. Ok, if someone else is reading this too, don't have a cow yet! SAP takes into assumption too many times that you are only going to use their product, including WAS/J2EE as the web server. If you are not, you only need a signed certificate on the outside server because the J2EE is not seen from the outside, you just have to make it talk SSL.

In the keystore manager generate a cert and click on the store certificate. The directions are close enough to get you through. Remember, you are self signing. You do not sent a CSR and where. That is only done on the IIS side. Run through the sapgenpse stuff and you should have it.

Keep in mind that I am running IIS 5.0 with the J2EE. The self signed solution may not work for all

Former Member
‎09-02-2004 6:27 PM
0 Kudos

I guess I understand what your saying but I'm not sure how it's going to work. We'd like to give users a link, ie. https://www.sitename.com/irj. and have them gain access directly to the Portal. If I put the certificate in IIS the users are not going to hit it. Do all your users goto https://www.sitename.com and get redirected from your IIS site?

Thanks,

John

Former Member
‎09-03-2004 6:43 PM
0 Kudos

Install your certificate on the website in IIS.

Open the properties of the web site and click the home directory tab.

Click on A Redirection To A URL button

Redirect to /irj

Under "the client will be directed to"

uncheck the first box and check the last two.

That should do it. Once you have that in the home directory it will move the request from www.sitename.com to the /irj folder. Once there it hits the default file and opens the portal.

Let me know.

Former Member
‎09-03-2004 7:50 PM
0 Kudos

Thanks David!

O.K. Now they are redirected to the Portal via IIS. As a user clicks around the Portal is the session still encrypted via SSL? I would think the user would be by-passing IIS and talking directly to the Portal un-encrypted.

John

Former Member
‎09-03-2004 8:31 PM
0 Kudos

Not if you do this:

Go to the properties of the website again in IIS.

Open the Directory Security Tab.

Make sure that the check box Require Secure Channel and check box Require 128-bit encryption are checked off.

Restart IIS

SSL talks on port 443, make sure your firewall is open to that port.

Former Member
‎09-03-2004 9:35 PM
0 Kudos

Thanks David. I think I'm making this more complicated than it needs to. I'll have my new cert on Tuesday so I'll give a try and let you know.

John

Former Member
‎09-03-2004 9:42 PM
0 Kudos

Nah, You'er not making it complicated. It IS complicated. If it were easy anyone could do it. Run down your docs. There are three sources of docs that I used and all three were different than the other. Go figure.

If you have a road block, do like the rest of us do, post it, someone might have the answer that is right in front of you.

Ask a Question