Skip to Content
avatar image
Former Member

User Sub CA certificate expiration

Question on User Sub CA certificate expiration.
Have implemented SAP SSO 3.0 in a development capacity, have a root certificate in place and SSO is working.
The root certificate has an expiration date which seems self-explanatory.
The root CA will need to be replaced prior to the expiration in both NW SSO and back-end SAP systems otherwise single sign-on will quit working.

However, the expiration date of the User Sub CA is significantly sooner than the root CA.
And the User Sub CA is what is used for issuing certificates for user logon per the SLAC
(Secure Login Administration Console) configuruation.

For example:
Root CA expiration year: 2034
User Sub CA expiration year: 2021 (less than 5 years from now).
Why the difference, what happens when the User Sub CA expires, and what if any pro-active actions need to occur before the User Sub CA expires?
Cannot seem to find good documentation explaining the User Sub CA administration as it relates to SAP SSO.
Does the Root CA itself need to be replaced before the User Sub CA expires?
There was no way to manually adjust the exiration dates in the SLAC.
thanks for any feedback!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 10, 2017 at 02:52 PM

    Hi Dan,

    if a subordinated CA expires before the Root (quite normal) you may get a chain validation error and SSO quit working.

    If your user sub ca is expired, all your user certificates are expired too, this is due to the X.509 shell model

    Sounds as if you have the Secure Login Server in place. Only thing you need to do is to delete and create a new sub ca in the SLAC -> Certificate Management tab before it expires and isn't able to issue new user certs.

    Or the better way, create a new one in addition:

    ...and assign it to your Auth-Profile/Policy as shown here:


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 10, 2017 at 05:18 PM

    Yes, the Secure Login Server 3.0 is in place, so the feedback and printscreens are extremely useful for this topic.

    Thank You!

    Add comment
    10|10000 characters needed characters exceeded