Technical Articles
Subject Alternative Name (SAN) with sapgenpse (CommonCryptoLib)
Important update (from Sept 2017):
If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.
Recommended additional reading:
- For SAP Netweaver ABAP: 2478769 – Create certificates with subject Alternative Name (SAN) within STRUST
- For SAP Web Dispatcher: 2502649 – Creating certificates with Subject Alternative Name (SAN) through the Web Admin page
end of update.
A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.
Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.
It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.
A quick test:
sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com
Please enter PSE PIN/Passphrase: *********
Please reenter PSE PIN/Passphrase: *********
get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR
Certificate Request:
Signed Part:
Subject :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Key:
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :2048
Attributes:
element#no=”1″:
Type :extensionRequest (1.2.840.113549.1.9.14)
Value 1:
Alternative names:
Significance:Non critical
Value:
element#no=”1″:
GeneralName :GN-dNSName:myehp7system.mydomain.com
Signature:
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature bits ( size=”2048″ ):
PKCS#10 certificate request for “SAPSAN.pse”:
—–BEGIN CERTIFICATE REQUEST—–
…
—–END CERTIFICATE REQUEST—–
Importing the response:
sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse
CA-Response successfully imported into PSE “SAPSAN.pse”
Checking the content:
sapgenpse get_my_name -p SAPSAN.pse
Subject : CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Issuer : …
Serialno : …
KeyInfo : RSA, 2048-bit
Validity – NotBefore: …
NotAfter : …
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:myehp7system.mydomain.com
Time to open the PSE via STRUST, saving it as the SSL server PSE identity.
I created a new server identity, for testing purposes (Environment -> SSL Server Identities):
I used option File to open the PSE created:
Finally, I used menu PSE -> Save as…, to replace the current PSE by the one created using sapgenpse:
The result: a SSL server PSE with SAN:
Hi Christiano, great to see this feature added to the SAPCryptographic library. I tested your example and somehow the SAN doesnt stick into the certificate!
I have signed the CSR many times and the SubjectAltName is blank. Even testing the pse that's generated right after running the gen_pse command shows SubjectAltName is blank. I used CommonLib 8.4.45
sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSSLS.pse -k GN-dNSName:testme.saptest.com
Please enter PSE PIN/Passphrase: **********
Please reenter PSE PIN/Passphrase: **********
get_pse: Distinguished name of PSE owner: CN=saptest.com
Certificate Request:
Signed Part:
Subject :CN=saptest.com
Key:
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :2048
Attributes:
element#no="1":
Type :extensionRequest (1.2.840.113549.1.9.14)
Value 1:
Alternative names:
Significance:Non critical
Value:
element#no="1":
GeneralName :GN-dNSName:testme.saptest.com
Signature:
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature bits ( size="2048" ):
PKCS#10 certificate request for "/usr/sap/WDD/W55/sec/SAPSSLS.pse":
-----BEGIN CERTIFICATE REQUEST-----
MIICizCCAXMCAQAwFjEUMBIGA1UEAxMLc2FwdGVzdC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCkZ0TU94iwBpsU8k0gtZqiKqYQe2flXexFR2GW
TBhSKRUNSRC+hCGXlTa2HunyJVx4RRg2GCpTyxKIPHmxso2yolnh5O2lL6azJS00
cONxUws9rn/sz0iba3jMPO4cYstJl4ggEk7a9jxFJ0ZeifmkYZGbUcof5236Jows
N/9xFrSAampKCPRN+kceE5QsRDRXGIHZJaTQzh4c8hItZNoppzjNmXH79mr2bNs6
bUkVYmFeCU2sdhkD8yO2AJGerCtZsvEXv9DtASCtESC5hTVSQElO4D0z0UG2RuAH
rA9DHcpP+piqAW/vAAi+MAl/MTxDKwaZnrquZHIVQzr7bS7NAgMBAAGgMDAuBgkq
hkiG9w0BCQ4xITAfMB0GA1UdEQQWMBSCEnRlc3RtZS5zYXB0ZXN0LmNvbTANBgkq
hkiG9w0BAQsFAAOCAQEAOAQhawTo07o/2s/uTaOD9I40WvWTaRU/qaFgTFYUkXCo
zDH0A4CifZCIF3tVk08mYLLpdeoKyJ3SGdEzodFPVwROsxTaQQ3tAGpJ62YhMTZ9
4i0OakuE6jrR/XJsvP+b/MaeFqvbeGm+JAX4k5xHIA1K6TEZV3Qsca/9YLCno3nn
vYK5DlQ7gVQXZq4wedy12c58kQXAM8LIF8lKTc819pz4pGPkyo7I+9IjZNq+nBzk
LxCqhVOICGL0AIq24yU37ywhuF6c8yatZGTXj6BEJVRjBJzzAo4qW3ZT1SHUEXqQ
4AFCgfxANxwvrGC8VDzk4cRhqJ92mFzd+U//RllITw==
-----END CERTIFICATE REQUEST-----
sapgenpse get_my_name -p SAPSSLS.pse
SSO for USER "sidadm"
with PSE file "/usr/sap/WDD/W55/sec/SAPSSLS.pse"
Subject : CN=saptest.com
Issuer : CN=saptest.com
Serialno : 0A:20:15:11:12:02:02:28
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Thu Nov 12 14:02:28 2015 (151112020228Z)
NotAfter : Fri Jan 1 12:00:01 2038 (380101000001Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
Hi Donald,
Have you imported the response?
The CSR shows the SAN value:
"...
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:testme.saptest.com
..."
The SAN value will appear after you import the response.
And, just a clarification, point 4 from note 2209439 tells that the SAN is included in the CSR - it doesn't mention that the PSE will be immediately showing the value new attribute. 😉
Cheers,
Cris
Thanks I soon realised about this new feature in sapgenpse when I reviewed the SAP note.
I should have tested the generated CSR with the like of openssl command:
openssl req -text -noout -in <CSR file>
I have tested the certificate by self-signing using openssl, and I forgot to set this parameter in the CA.
copy_extensions = copy
would have been easy if SAP hadnt removed its test SSL service service.sap.com/SSLTest.
Anyway, all good now!
thank's Christiano for information.
very usefull for our Web dispatchers
One additional Question.
Do you know the syntax of the AN string, if you want to add multiple dNSNames?
Regards Alexander
It is not true that it is not possible to include SANs in the PKCS#10 request created out of STRUST. Prerequisite is to install a CommonCryptoLib minimum 8.4.42
See for detail SAP note 2209439 point 4.
For STRUST managed PSEs this is the way to go:
*****
Add your subjectAlternativeName of type DNSName by placing a string "DNS=<fqdn1>:<fqdn2>...," at the beginning of the DN field in the Revise DN dialog. Only in case the 255 character DN limitation of STRUST will not allow you to add all required SANs or you need to add SANs for existing key pairs, then use sapgenpse on OS level of the application server to create the certificate requests. With sapgenpse create only certificate requests out of already existing PSEs which were created and distributed to the OS from STRUST. Import also in these cases the certificate responses only with STRUST, not with sapgenpse.
Cause: It is necessary that all modifying operations on STRUST managed PSEs are done in STRUST only. Otherwise you bypass the automatic key distribution of the database and as result you will lose your manual changes latest with the next instance restart. Hence, whenever you should perform a manual modifying action on a STRUST managed PSE you will have to upload and store the modified PSE to STRUST to update the database.
*****
For all PSEs which are not managed within STRUST, of course, the maintenance with sapgenpse is correct.
Thanks Uwe.
I saw that note 2209439 is updated and point 4 contains a warning.
Hi Cristiano,
by using the command I'm able to see the subject alternative name. But when the certificate is expiring and I don't want to create again new pse, just want to create request from the pse via command :
/usr/sap/SID/SYS/exe/run/sapgenpse gen_pse -p /usr/sap/SID/DVEBMGS<IN>/sec/SAPSSLS.pse -r /usr/sap/SID/DVEBMGS<IN>/sec/name.csr -onlyreq.
the csr file doesn't contain subject alternative name.
Do you have any idea
Viktor
Hi Viktor,
Please use STRUST. You can follow the new document (2478769) that mention the steps to use STRUST.
Thank you,
Cris
Hi Cris,
thank you for your answer. What about java portals? I created new pse file from os level, get signed and imported the response. But when I generate new csr request from NWA it doesn't contain subject alternative name.
Could you please advise?
Thanks
Viktor
Hi Viktor,
Please submit your question via support incident (or expert chat), under BC-JAS-SEC component.
The experts in Portal security should be able to point you in the right path to have it done via NWA.
Kind regards,
Cris