Skip to Content

Important update:

If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.

end of update.

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.

 

A quick test:

 

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com

 

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no=”1″:

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no=”1″:

                GeneralName :GN-dNSName:myehp7system.mydomain.com

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size=”2048″ ):

 

PKCS#10 certificate request for “SAPSAN.pse”:

 

—–BEGIN CERTIFICATE REQUEST—–

—–END CERTIFICATE REQUEST—–

 

 

Importing the response:

 

sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse

 

CA-Response successfully imported into PSE “SAPSAN.pse”

 

 

Checking the content:

 

sapgenpse get_my_name -p SAPSAN.pse

 

Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   …

Serialno              :   …

KeyInfo               :   RSA, 2048-bit

Validity  –  NotBefore:   …

             NotAfter :   …

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com

 

 

Time to open the PSE via STRUST, saving it as the SSL server PSE identity.

 

I created a new server identity, for testing purposes (Environment -> SSL Server Identities):

STRUST01.jpg

 

I used option File to open the PSE created:

STRUST02.jpg

 

Finally, I used menu PSE -> Save as…, to replace the current PSE by the one created using sapgenpse:

STRUST03.jpg

 

The result: a SSL server PSE with SAN:

STRUST04.jpg

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Donald James Elemento

    Hi Christiano, great to see this feature added to the SAPCryptographic library. I tested your example and somehow the SAN doesnt  stick into the certificate!

    I have signed the CSR many times and the SubjectAltName is blank. Even testing the pse that’s generated right after running the gen_pse command shows SubjectAltName is blank. I used CommonLib 8.4.45

     

    sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSSLS.pse -k GN-dNSName:testme.saptest.com

    Please enter PSE PIN/Passphrase: **********

    Please reenter PSE PIN/Passphrase: **********

    get_pse: Distinguished name of PSE owner: CN=saptest.com

    Certificate Request:

      Signed Part:

        Subject     :CN=saptest.com

        Key:

          Key type    :rsaEncryption (1.2.840.113549.1.1.1)

          Key size    :2048

        Attributes:

          element#no=”1″:

            Type        :extensionRequest (1.2.840.113549.1.9.14)

            Value 1:

              Alternative names:

                Significance:Non critical

                Value:

                  element#no=”1″:

                    GeneralName :GN-dNSName:testme.saptest.com

      Signature:

        Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

        Signature bits ( size=”2048″ ):

     

     

    PKCS#10 certificate request for “/usr/sap/WDD/W55/sec/SAPSSLS.pse”:

     

     

    —–BEGIN CERTIFICATE REQUEST—–

    MIICizCCAXMCAQAwFjEUMBIGA1UEAxMLc2FwdGVzdC5jb20wggEiMA0GCSqGSIb3

    DQEBAQUAA4IBDwAwggEKAoIBAQCkZ0TU94iwBpsU8k0gtZqiKqYQe2flXexFR2GW

    TBhSKRUNSRC+hCGXlTa2HunyJVx4RRg2GCpTyxKIPHmxso2yolnh5O2lL6azJS00

    cONxUws9rn/sz0iba3jMPO4cYstJl4ggEk7a9jxFJ0ZeifmkYZGbUcof5236Jows

    N/9xFrSAampKCPRN+kceE5QsRDRXGIHZJaTQzh4c8hItZNoppzjNmXH79mr2bNs6

    bUkVYmFeCU2sdhkD8yO2AJGerCtZsvEXv9DtASCtESC5hTVSQElO4D0z0UG2RuAH

    rA9DHcpP+piqAW/vAAi+MAl/MTxDKwaZnrquZHIVQzr7bS7NAgMBAAGgMDAuBgkq

    hkiG9w0BCQ4xITAfMB0GA1UdEQQWMBSCEnRlc3RtZS5zYXB0ZXN0LmNvbTANBgkq

    hkiG9w0BAQsFAAOCAQEAOAQhawTo07o/2s/uTaOD9I40WvWTaRU/qaFgTFYUkXCo

    zDH0A4CifZCIF3tVk08mYLLpdeoKyJ3SGdEzodFPVwROsxTaQQ3tAGpJ62YhMTZ9

    4i0OakuE6jrR/XJsvP+b/MaeFqvbeGm+JAX4k5xHIA1K6TEZV3Qsca/9YLCno3nn

    vYK5DlQ7gVQXZq4wedy12c58kQXAM8LIF8lKTc819pz4pGPkyo7I+9IjZNq+nBzk

    LxCqhVOICGL0AIq24yU37ywhuF6c8yatZGTXj6BEJVRjBJzzAo4qW3ZT1SHUEXqQ

    4AFCgfxANxwvrGC8VDzk4cRhqJ92mFzd+U//RllITw==

    —–END CERTIFICATE REQUEST—–

     

     

     

     

     

     

     

     

     

    sapgenpse get_my_name -p SAPSSLS.pse

    SSO for USER “sidadm”

      with PSE file “/usr/sap/WDD/W55/sec/SAPSSLS.pse”

     

     

    Subject               :   CN=saptest.com

    Issuer                :   CN=saptest.com

    Serialno              :   0A:20:15:11:12:02:02:28

    KeyInfo               :   RSA, 2048-bit

    Validity  –  NotBefore:   Thu Nov 12 14:02:28 2015 (151112020228Z)

                 NotAfter :   Fri Jan  1 12:00:01 2038 (380101000001Z)

    KeyUsage              :   none

    ExtKeyUsage           :   none

    SubjectAltName        :   none

    (0) 
    1. Cristiano Hansen Post author

      Hi Donald,

       

      Have you imported the response?

       

      The CSR shows the SAN value:

      “…

      Requested Extensions:

         X509v3 Subject Alternative Name:

           DNS:testme.saptest.com

      …”

       

      The SAN value will appear after you import the response.

       

      And, just a clarification, point 4 from note 2209439 tells that the SAN is included in the CSR – it doesn’t mention that the PSE will be immediately showing the value new attribute. 😉

       

      Cheers,

      Cris

      (0) 
      1. Donald James Elemento

        Thanks I soon realised about this new feature in sapgenpse when I reviewed the SAP note.

        I should have tested the generated CSR with the like of openssl command:

         

        openssl req -text -noout -in <CSR file>

         

         

        I have tested the certificate by self-signing using openssl, and I forgot to set this parameter in the CA.

         

        copy_extensions = copy

         

         

        would have been easy if SAP hadnt removed its test SSL service service.sap.com/SSLTest.

         

        Anyway, all good now!

        (0) 
  2. Alexander Hillenkötter

    thank’s Christiano for information.

     

    very usefull for our Web dispatchers

     

    One additional Question.

     

    Do you know the syntax of the AN string, if you want to add multiple dNSNames?

     

    Regards  Alexander

    (0) 
  3. Uwe Bauer

    It is not true that it is not possible to include SANs in the PKCS#10 request created out of STRUST. Prerequisite is to install a CommonCryptoLib minimum 8.4.42

    See for detail SAP note 2209439 point 4.

     

    For STRUST managed PSEs this is the way to go:

    *****

    Add your subjectAlternativeName of type DNSName by placing a string “DNS=<fqdn1>:<fqdn2>…,” at the beginning of the DN field in the Revise DN dialog. Only in case the 255 character DN limitation of STRUST will not allow you to add all required SANs or you need to add SANs for existing key pairs, then use sapgenpse on OS level of the application server to create the certificate requests. With sapgenpse create only certificate requests out of already existing PSEs which were created and distributed to the OS from STRUST. Import also in these cases the certificate responses only with STRUST, not with sapgenpse.

    Cause: It is necessary that all modifying operations on STRUST managed PSEs are done in STRUST only. Otherwise you bypass the automatic key distribution of the database and as result you will lose your manual changes latest with the next instance restart. Hence, whenever you should perform a manual modifying action on a STRUST managed PSE you will have to upload and store the modified PSE to STRUST to update the database.

    *****

     

    For all PSEs which are not managed within STRUST, of course, the maintenance with sapgenpse is correct.

    (0) 

Leave a Reply