Skip to Content

Prerequisites

Setup CA

Before you can start creating your own CA I would recommend that you adopt the file “openssl.cnf” in the bin Folder of your OpenSSL installation. I’ve changed the section “CA_default”:

dir = C:/Programme/OpenSSL/TestCA

an this setting in section “policy_match”

stateOrProvinceName = optional

Also the settings in section “req_distinguished_name” should be adapted to your local needs. I’ve changed or added this lines:

countryName_default = DE #stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Bavaria localityName_default = Traunreut 0.organizationName_default = Siteco Beleuchtungstechnik GmbH organizationalUnitName_default = OI #emailAddress = Email Address #emailAddress_max = 64

Finally this settings in “”:

#challengePassword = A challenge password #challengePassword_min = 4 #challengePassword_max = 20 #unstructuredName = An optional company name

To make the creation of your own CA easier I’ve ported the Scripts provided by Dr. Andreas Steffen in his Article Eigener Schlüsseldienst to Windows. Here is the first Script which creates the CA. Save it as make_ca.bat in the new created Folder TestCA below the OpenSSL Installation directory. Also create a empty text file called “index.txt” there:

When you run this Script you had to enter the Private Key twice to set the key and then again to create a Certificate Signing Request (CSR). Enter the name of your CA in the “Common Name” and leave “Email Address” empty:

C:ProgrammeOpenSSLTestCA>make_ca "Initialize CA and generate Root CA certificate" "create some directories" "generate 2048 bit RSA private key of CA" Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus .............................+++ .........................................+++ e is 65537 (0x10001) Enter pass phrase for privatecakey.pem: EnterCAPassword Verifying - Enter pass phrase for privatecakey.pem: EnterCAPassword "generate self-signed CA root certificate with a validity of 4 years" Enter pass phrase for privatecakey.pem: EnterCAPassword You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: Locality Name (eg, city) [Traunreut]: Organization Name (eg, company) [Siteco Beleuchtungstechnik GmbH]: Organizational Unit Name (eg, section) [OI]: Common Name (eg, YOUR name) []:Siteco Test CA "list CA root certificate" Certificate: Data: Version: 3 (0x2) Serial Number: f3:17:45:17:d3:02:61:93 Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, L=Traunreut, O=Siteco Beleuchtungstechnik GmbH, OU=OI ... snip ...

Import the “x509cert-cacert.der” file via STRUST into your Web AS. Install the CA Certificate also on your client Web browser by double click on the x509cert-cacert.der file.

Create Server Certificate

The next script can be used to create a Server Certificate. Save it as make_cert_req.bat in the folder TestCA below the OpenSSL Installation directory:

Before you can run this script you have to save the CSR of your Web AS as hostnameReq.pem in the folder TestCA. When you run this Script you have to enter the CA Password you had set in the step “Create CA”. Then answer “y” to sign and commit the certificate.

C:ProgrammeOpenSSLTestCA>make_cert_req pc91427 "list pc91427 certificate request" ... Snip ... Enter pass phrase for C:/Programme/OpenSSL/TestCA/private/cakey.pem:CAPwd ... Snip ... Certificate is to be certified until Oct 22 12:40:42 2006 GMT (365 days) Sign the certificate? [y/n]: y   1 out of 1 certificate requests certified, commit? [y/n]y ... Snip ... "convert pc91427 certificate into DER format: x509cert-pc91427.der"

Open the Certificate file hostnameCert.pem with WordPad and import it in the Web AS as Certificate Response. If you get the error “CA certificate missing in database” add the CA Certificate from cacert.pem to hostnameCert.pem and import them both. To activate the Certificate start Transaction SMICM and choose Administration -> ICM -> Exit soft. Answer yes to the question “Really restart ICM process?”.

Create Client Certificate

The next script can be used to create a Client Certificate. Save it as make_cert.bat in the folder TestCA below the OpenSSL Installation directory:

When you run this Script you had to enter the Private Key twice to set the key and then again to create a Certificate Signing Request (CSR). The Request is forwarded to the CA and you have to enter the CA Password you had set in the step “Setup CA”. Then answer “y” to sign and commit the certificate. After the Certificate is created you had to enter again the password for the p12 file:

C:ProgrammeOpenSSLTestCA>make_cert BCUSER "Generate private key and certificate for BCUSER" "generate 1024 bit RSA private key: privateBCUSERKey.pem" Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ................................................................. .......++++++ e is 65537 (0x10001) Enter pass phrase for privateBCUSERKey.pem: EnterPassword Verifying - Enter pass phrase for privateBCUSERKey.pem: EnterPassword "generate certificate request by host BCUSER" Enter pass phrase for privateBCUSERKey.pem: EnterPassword You are about to be asked to enter information that will be incor into your certificate request. What you are about to enter is what is called a Distinguished Nam There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: Locality Name (eg, city) [Traunreut]: Organization Name (eg, company) [Siteco Beleuchtungstechnik GmbH] Organizational Unit Name (eg, section) [OI]: Common Name (eg, YOUR name) []:BCUSER Email Address []:   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: "list BCUSER certificate request" ... Snip ... "generate and sign BCUSER certificate: BCUSERCert.pem" Using configuration from C:ProgrammeOpenSSL inopenssl.cnf Loading 'screen' into random state - done Enter pass phrase for C:/Programme/OpenSSL/TestCA/private/cakey.pem:CAPwd Check that the request matches the signature ... Snip ... Certificate is to be certified until Oct 22 12:19:21 2006 GMT (36 Sign the certificate? [y/n]:y   1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ... Snip ... "convert BCUSER certificate into DER format: x509cert-BCUSER.der" "generate PKCS#12 files for use with Windows" Loading 'screen' into random state - done Enter pass phrase for privateBCUSERKey.pem: EnterPassword Enter Export Password: EnterPassword Verifying - Enter Export Password: EnterPassword

Double click on the BCUSER.p12 file to import it into your Browsers certificates store.

Maintain View VUSREXTID

Start Transaction SM30 and enter View name “VUSREXTID”, klick on “Maintain”. Enter “DN” in the “External ID Type” field:

Click on “New Entries” and enter the Distinguished Name (DN)of the Client Certificate. Please note that OpenSSL displays the DNs starting with the Country. Here the DN must begin win CN=.

Save the settings.

Test

SE80, open the BSP-Application “HTMLB_samples” and run the test by pressing F8. To force that HTTPS is used you can set this in SE80 via Menu Utilities -> Settings. In the Tab “Business Server Pages” enter Log, Application Server and Port:

Save the setting and run the application via F8. Your browser will start and display this window where you can choose the client certificate which should be used to authenticate:

After successful authentication the application should be launched.

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Bob Rein
    This is a good example of using OpenSSL to create
    Client SSL certificates.  Is there any examples for using STRUST to create Server certificates that can be signed by an OpenSSL certificate server?   Also, I see that STRUST in Netweaver 2004s (Patch 16) does not support 4096-bit RSA encryption keys – apparently anyway.  Any idea when this will occur?
    (0) 
  2. Bob Rein
    Hi Gregor,

    Thanks for responding.  I’ve been going around in circles with SAP support for several weeks about this. I haven’t received a response to the question whether or not the support 4096 bit RSA keys. I thought that the encryption library was provided by SECUDE – maybe that’s where the confusion is.   SAP asked me to experiment with 4096 and report back to them.

    (0) 
  3. C├ęsar Cabrera
    Hi, any idea for this error???
    Please, help me.
    Thanksss

    C:\OpenSSL\bin\TestCA>make_cert_req sapecc
    “list sapecc certificate request”
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=AR, O=Neoris, CN=*.neoris.net
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:ff:7b:7d:99:29:1b:98:37:59:58:87:31:60:cc:
                        59:1a:1c:ea:d7:1c:be:2f:b5:a9:41:cf:e4:83:e9:
                        ab:32:cc:63:51:04:7d:60:dd:0f:46:18:a3:b0:29:
                        ed:58:1e:8d:f2:87:9f:41:b2:96:64:74:9a:29:f6:
                        aa:83:d5:fb:77:95:23:c5:1e:56:32:4d:11:5f:fe:
                        6a:80:cb:de:47:35:64:a7:45:41:6a:4f:de:a2:2e:
                        1e:ab:8c:30:30:89:f1:8a:2d:9c:34:ae:c9:cf:0a:
                        84:c6:d0:62:85:cd:ee:11:f5:ed:f2:42:9d:5c:be:
                        61:ad:87:5f:ad:4b:5c:c0:55
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
            37:70:0b:28:98:38:42:2d:bb:7d:c3:e4:98:cd:89:4b:8c:db:
            83:45:54:2b:13:f1:35:1d:9b:73:d4:f2:c7:86:0c:49:68:b2:
            89:67:f6:2e:96:6b:73:0e:90:71:a1:99:69:a6:5d:d1:d5:c4:
            3d:f3:66:64:05:dc:95:28:1a:ba:3b:10:aa:d7:0f:04:01:d7:
            c3:4b:f7:ad:68:8a:b7:c5:5c:a2:4c:e3:85:b3:37:9c:fa:d6:
            7d:6f:7e:fe:a4:5c:84:16:2f:c7:8f:11:ce:7a:d9:a8:b7:fc:
            fc:8a:c8:b6:fc:a9:8a:a9:71:1b:2f:22:cb:ff:54:d9:4e:97:
            57:3c
    “generate and sign sapecc certificate: sapeccCert.pem”
    Using configuration from C:\OpenSSL\bin\openssl.cfg
    Loading ‘screen’ into random state – done
    Error opening CA private key ./TestCA/private/cakey.pem
    3848:error:02001003:system library:fopen:No such process:.\crypto\bio\bss_file.c
    :356:fopen(‘./TestCA/private/cakey.pem’,’rb’)
    3848:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:35
    8:
    unable to load CA private key
    “list sapecc X.509 certificate”
    Error opening Certificate sapeccCert.pem
    2904:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
    bss_file.c:356:fopen(‘sapeccCert.pem’,’rb’)
    2904:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:35
    8:
    unable to load certificate
    “convert sapecc certificate into DER format: x509cert-sapecc.der”
    Error opening Certificate sapeccCert.pem
    324:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\b
    ss_file.c:356:fopen(‘sapeccCert.pem’,’rb’)
    324:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:358
    :
    unable to load certificate

    C:\OpenSSL\bin\TestCA>

    (0) 

Leave a Reply