Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SSL one cert - multiple systems - same domain

Former Member

‎03-23-2012 8:05 PM

0 Kudos

Hello - not able to find an answer to this question so wondering if I can get a quick answer..

Can we use one CA signed SSL certificate for mutliple systems (Portal, ECC, etc) in the same domain?  Does SAP support this?

Also, our ECC system is referenced externally by a different URL and internally by its hostname.  Do we need to generate two different certs for the ECC system (one for the internet URL and the other for hostname)?  

1 REPLY 1

frank_wagner2
Participant

‎03-24-2012 9:38 AM

0 Kudos

Hello,

for your first question:

this may work with a wildcard certificate- but the problem is here not SAP but the SSL or more concrete the X.509 certificate concept. Even if you use the same DN for every system the generated key would be always different (of course you could exchange the keys, too. But this is not how SSL is designed and will only work for PSE or KeyStore - not for both). And you will run into problems if you would like to use more than server identification - for example for client authentification you need a different DN and a different key for each client.

For your second question: yes, you need two different certificates if you would like to allow internal access using internal name and external access using external name. But you have to use a Reverse Proxy like a Webdispatcher or Apache (i recommend Apache) - because a SAP System can only have one SSL identity. But please consider that using two names is not always working (for example if Application Server has to generate URLs) - therefore I recommend to use only one server name and use also the external server (name) for internal communication.

Best Regards,

Frank