I followed the SAP documentation to setup authentication using x.509 certificates
The user certificate imported into SAP (table USREXTID) has subsequently expired.
A new user certificate was acquired and imported into the users
browser, but NOT into SAP.
The issue is that, without having to update SAP, the user can
successfully authenticate to SAP again using the new certificate.
Therefore SAP is not distinguishing between the old expired certificate
and the new certificate.
This creates a huge security issue. If the device containing the
certificate is lost (for example) the certificate would be revoked.
However once the user has a new device and is issued with a new
certificate the old device would also be able to successfully logon to
The steps in short are;
1. Issue certificate to user
2. Load into USREXTID using SM31
3. Expire/revoke the certificate
4. Issue user with new certificate
5. test logon - logon SUCCEEDS, the logon should FAIL (because the new
certificate is not loaded into USREXTID)
We need to be able to ensure that only the current, valid certificate
allows access to SAP. Can this be achieved?
The way that this is currently working means that we would have to
change the users DN every time a new certificate is issued, surely this can't be the case?