Our blogs always aim to keep tech stuff simple and your systems safe. A few years ago, Cristiano Hansen, an expert at SAP, shared tips about public certificates. However, with hackers getting smarter, SAP had to up its game. Hence, as businesses want better security and smart automation (RPA), a trusted certificate becomes crucial.
Purpose.
This blog tells you how to set up a trusted certificate in newer SAP versions. So we shall proceed to break it down step by step. That means that we shall include fine-tuning details like the right algorithms and the Subject Alternative Name (SAN). For clarity, the sequential steps to set up a trusted SSL certificate in an SAP ABAP system are illustrated below.
Step 1.
Open the STRUST tool and look at the “SAP Server Standard”.
Notice that the name here does not match your server’s name. To resolve it, just right-click on “SSL Server Standard” and hit “Replace” and click “Yes” if asked. In our example below, we’ve got two application servers with SID and Common Name both as KQ3.
Step 2.
Check that the setting is RSA/2048/SHA256.
Adjust names to match their public addresses. Sometimes, another team might give you this name, especially in large corporations.
Step 3.
Save your work, close STRUST, and then open it again.
Step 4.
Click on the new PSE and pick “Create Certificate Request”.
Make sure to choose SHA256 here based on current recommendations:
Step 5.
Add more names for both internal and external web addresses. Due to new rules, both can’t be verified by external groups like Verisign.
After doing this, you’ll get a Certificate Request. Keep it safe and send it to your CA for approval.
Step 6.
Now, send your data to the team that gives out certificates. Ask for an external one. If looking for free external certificates, check out “Let’s Encrypt”. For a deeper dive, Zoltan Sekeres’s informative blog is worth perusing.
You’ll get some important files in return. Open them in an editor, like Notepad++, and join the contents.
Chain of Root/intermediate Certificates
Step 7.
It’s time to add this joined file in STRUST.
Step 8.
Import your file, like “SignedCertificateResponse—KQ3.crt”. Be careful to pick the right option for SSL Server.
Click on Server PSE and Save As:
Be sure to select the right option below for SSL Server! Easy to Miss!
Step 9.
Now, test it in your browser. If done right, everything should work smoothly.
Troubleshooting issues with a trusted SSL certificate:
Trouble loading the PSE? Delete instead of Replace:
Remove Temporary Files:
Ensure that the SMICM service defined is for the right port. In our case, it is the default 443:
Ensure that the ICM is restarted implicitly by STRUST. (You will get a message PSE Saved/ICM was Notified):
Conclusion.
You have now successfully imported your externally-signed trusted SSL certificate! If you have problems, please review the steps above, check out the Trouble-shooting steps or contact the author.
A modified version of this article was first published by the author on SAP Blogs. #SAPCommunity