cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Sub CA certificate expiration

dan_pfingsten2
Participant

on ‎01-09-2017 3:18 PM

0 Kudos

Question on User Sub CA certificate expiration.
Have implemented SAP SSO 3.0 in a development capacity, have a root certificate in place and SSO is working.
The root certificate has an expiration date which seems self-explanatory.
The root CA will need to be replaced prior to the expiration in both NW SSO and back-end SAP systems otherwise single sign-on will quit working.

However, the expiration date of the User Sub CA is significantly sooner than the root CA.
And the User Sub CA is what is used for issuing certificates for user logon per the SLAC
(Secure Login Administration Console) configuruation.


For example:
Root CA expiration year: 2034
User Sub CA expiration year: 2021 (less than 5 years from now).
Why the difference, what happens when the User Sub CA expires, and what if any pro-active actions need to occur before the User Sub CA expires?
Cannot seem to find good documentation explaining the User Sub CA administration as it relates to SAP SSO.
Does the Root CA itself need to be replaced before the User Sub CA expires?
There was no way to manually adjust the exiration dates in the SLAC.
thanks for any feedback!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Colt
Active Contributor
‎01-10-2017 2:52 PM

Hi Dan,

if a subordinated CA expires before the Root (quite normal) you may get a chain validation error and SSO quit working.

If your user sub ca is expired, all your user certificates are expired too, this is due to the X.509 shell model

Sounds as if you have the Secure Login Server in place. Only thing you need to do is to delete and create a new sub ca in the SLAC -> Certificate Management tab before it expires and isn't able to issue new user certs.

Or the better way, create a new one in addition:

...and assign it to your Auth-Profile/Policy as shown here:

Cheers,
Carsten

Show replies
Show replies
dan_pfingsten2
Participant
‎01-10-2017 5:18 PM
0 Kudos

Yes, the Secure Login Server 3.0 is in place, so the feedback and printscreens are extremely useful for this topic.

Thank You!

Show replies
Show replies
Ask a Question