Skip to Content

Certificate error with new certificate

Dear experts,

I had opened thread http://scn.sap.com/message/13209781 a while ago and I was able to solve this by installing additional certificates

from Thawte. So I had a SOAP Axis sender Adapter which was working already.

Now our partner renewed his SSL certificate. I downloaded it, installed it via http://<host>:<port>/nwa in "Key storage views" - "Trusted CAs".

It is valid from 12 April 2012 - 03 June 2013.

Now I got an error and used XPI Inspector to get more information:

The certificates themselves though are trusted:

I already contacted our partner and he said he was in contact with Thawte. According to them there is no problem with the certificate from

our partner. They think our application - SAP PI - does not recognize our partners certificate as a valid one.

Does anyone have an idea on this?

Thank you and best regards,

Peter

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jun 14, 2012 at 07:42 PM

    Hi Peter,

    The main reasons for errors like this are the following:

    1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. So ensure you have done all the steps described in the URL below:

    Security Configuration at Message Level
    http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm



    2. The server certificate chain contains expired certificate.

    Check for it (that was the cause for other customers as well) and

    Caio Cagnani

    if it's the case renew it or extend the validation.


    3. Basically the server certificate chain should be in order
    Own->Intermedite->Root. To explain in detail, if your server certificate
    is A which is issued by an intermediate CA B and then B's certificate is
    issued by the C which is the root CA (having a self signed certificate).
    Then your certificate chain contains 3 elements A->B->C. So you need to
    have the right order of certificate in the chain. If the order is B
    first followed by A followed by C, then the IAIK library used by PI
    cannot verify the server as trusted. Generate the certificate in
    the right order and then import this certificate in the TrustedCA
    keystore view and try again.


    4. If the end point of the SOAP Call(Server) is configured to accept
    a client certificate(mandatory), then make sure that it is configured
    correctly in the SOAP channel and it is also within validity period.
    (This certificate is the one which is sent to Server for Client
    authentication)

    

    

    As a resource, you may need to create a new SSL Server key.
    The requirement from SAP SSL client side is that the requested site has

    to have certificate with CN equal to the requested site.  I mean if I
    request URL X then the CN must be CN=X.

    

    In other words, the CN of the certificate has to be equal to the URL in
    the ftp request. This can be the IP address or the full name of the host.

    Request the url with the IP of the SSL Server and the certificate to be
    with CN = IP of the server.
    In any other case the SSL communication will not work.

    

    Kind regards,

    Add comment
    10|10000 characters needed characters exceeded

  • Jun 12, 2012 at 09:45 AM

    sorry, here are the screenshots:

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Rajesh, Hello experts,

      I now did a debugging again with XPI-Inspector and switched from "11 (Authentication & SSL)" to

      "17 (Axis Adapter)" and I get the following message:

      Our partner claims everything is okay with the certificate. But could it be that there is a problem with it? I downloaded it with Internet Explorer.

      Thank you for any ideas.

      Best regards,

      Peter

      xpiInsp3.jpg (162.4 kB)