Skip to Content
Technical Articles
Author's profile photo Cristiano Hansen

Subject Alternative Name (SAN) with sapgenpse (CommonCryptoLib)

Important update (from Sept 2017):

If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.

Recommended additional reading:

  • For SAP Netweaver ABAP: 2478769 – Create certificates with subject Alternative Name (SAN) within STRUST
  • For SAP Web Dispatcher: 2502649 – Creating certificates with Subject Alternative Name (SAN) through the Web Admin page

end of update.

 

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.

 

A quick test:

 

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com

 

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no=”1″:

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no=”1″:

                GeneralName :GN-dNSName:myehp7system.mydomain.com

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size=”2048″ ):

 

PKCS#10 certificate request for “SAPSAN.pse”:

 

—–BEGIN CERTIFICATE REQUEST—–

—–END CERTIFICATE REQUEST—–

 

 

Importing the response:

 

sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse

 

CA-Response successfully imported into PSE “SAPSAN.pse”

 

 

Checking the content:

 

sapgenpse get_my_name -p SAPSAN.pse

 

Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   …

Serialno              :   …

KeyInfo               :   RSA, 2048-bit

Validity  –  NotBefore:   …

             NotAfter :   …

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com

 

 

Time to open the PSE via STRUST, saving it as the SSL server PSE identity.

 

I created a new server identity, for testing purposes (Environment -> SSL Server Identities):

STRUST01.jpg

 

I used option File to open the PSE created:

STRUST02.jpg

 

Finally, I used menu PSE -> Save as…, to replace the current PSE by the one created using sapgenpse:

STRUST03.jpg

 

The result: a SSL server PSE with SAN:

STRUST04.jpg

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Christiano, great to see this feature added to the SAPCryptographic library. I tested your example and somehow the SAN doesnt  stick into the certificate!

      I have signed the CSR many times and the SubjectAltName is blank. Even testing the pse that's generated right after running the gen_pse command shows SubjectAltName is blank. I used CommonLib 8.4.45

       

      sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSSLS.pse -k GN-dNSName:testme.saptest.com

      Please enter PSE PIN/Passphrase: **********

      Please reenter PSE PIN/Passphrase: **********

      get_pse: Distinguished name of PSE owner: CN=saptest.com

      Certificate Request:

        Signed Part:

          Subject     :CN=saptest.com

          Key:

            Key type    :rsaEncryption (1.2.840.113549.1.1.1)

            Key size    :2048

          Attributes:

            element#no="1":

              Type        :extensionRequest (1.2.840.113549.1.9.14)

              Value 1:

                Alternative names:

                  Significance:Non critical

                  Value:

                    element#no="1":

                      GeneralName :GN-dNSName:testme.saptest.com

        Signature:

          Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

          Signature bits ( size="2048" ):

       

       

      PKCS#10 certificate request for "/usr/sap/WDD/W55/sec/SAPSSLS.pse":

       

       

      -----BEGIN CERTIFICATE REQUEST-----

      MIICizCCAXMCAQAwFjEUMBIGA1UEAxMLc2FwdGVzdC5jb20wggEiMA0GCSqGSIb3

      DQEBAQUAA4IBDwAwggEKAoIBAQCkZ0TU94iwBpsU8k0gtZqiKqYQe2flXexFR2GW

      TBhSKRUNSRC+hCGXlTa2HunyJVx4RRg2GCpTyxKIPHmxso2yolnh5O2lL6azJS00

      cONxUws9rn/sz0iba3jMPO4cYstJl4ggEk7a9jxFJ0ZeifmkYZGbUcof5236Jows

      N/9xFrSAampKCPRN+kceE5QsRDRXGIHZJaTQzh4c8hItZNoppzjNmXH79mr2bNs6

      bUkVYmFeCU2sdhkD8yO2AJGerCtZsvEXv9DtASCtESC5hTVSQElO4D0z0UG2RuAH

      rA9DHcpP+piqAW/vAAi+MAl/MTxDKwaZnrquZHIVQzr7bS7NAgMBAAGgMDAuBgkq

      hkiG9w0BCQ4xITAfMB0GA1UdEQQWMBSCEnRlc3RtZS5zYXB0ZXN0LmNvbTANBgkq

      hkiG9w0BAQsFAAOCAQEAOAQhawTo07o/2s/uTaOD9I40WvWTaRU/qaFgTFYUkXCo

      zDH0A4CifZCIF3tVk08mYLLpdeoKyJ3SGdEzodFPVwROsxTaQQ3tAGpJ62YhMTZ9

      4i0OakuE6jrR/XJsvP+b/MaeFqvbeGm+JAX4k5xHIA1K6TEZV3Qsca/9YLCno3nn

      vYK5DlQ7gVQXZq4wedy12c58kQXAM8LIF8lKTc819pz4pGPkyo7I+9IjZNq+nBzk

      LxCqhVOICGL0AIq24yU37ywhuF6c8yatZGTXj6BEJVRjBJzzAo4qW3ZT1SHUEXqQ

      4AFCgfxANxwvrGC8VDzk4cRhqJ92mFzd+U//RllITw==

      -----END CERTIFICATE REQUEST-----

       

       

       

       

       

       

       

       

       

      sapgenpse get_my_name -p SAPSSLS.pse

      SSO for USER "sidadm"

        with PSE file "/usr/sap/WDD/W55/sec/SAPSSLS.pse"

       

       

      Subject               :   CN=saptest.com

      Issuer                :   CN=saptest.com

      Serialno              :   0A:20:15:11:12:02:02:28

      KeyInfo               :   RSA, 2048-bit

      Validity  -  NotBefore:   Thu Nov 12 14:02:28 2015 (151112020228Z)

                   NotAfter :   Fri Jan  1 12:00:01 2038 (380101000001Z)

      KeyUsage              :   none

      ExtKeyUsage           :   none

      SubjectAltName        :   none

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Donald,

       

      Have you imported the response?

       

      The CSR shows the SAN value:

      "...

      Requested Extensions:

         X509v3 Subject Alternative Name:

           DNS:testme.saptest.com

      ..."

       

      The SAN value will appear after you import the response.

       

      And, just a clarification, point 4 from note 2209439 tells that the SAN is included in the CSR - it doesn't mention that the PSE will be immediately showing the value new attribute. 😉

       

      Cheers,

      Cris

      Author's profile photo Former Member
      Former Member

      Thanks I soon realised about this new feature in sapgenpse when I reviewed the SAP note.

      I should have tested the generated CSR with the like of openssl command:

       

      openssl req -text -noout -in <CSR file>

       

       

      I have tested the certificate by self-signing using openssl, and I forgot to set this parameter in the CA.

       

      copy_extensions = copy

       

       

      would have been easy if SAP hadnt removed its test SSL service service.sap.com/SSLTest.

       

      Anyway, all good now!

      Author's profile photo Alexander Hillenkötter
      Alexander Hillenkötter

      thank's Christiano for information.

       

      very usefull for our Web dispatchers

       

      One additional Question.

       

      Do you know the syntax of the AN string, if you want to add multiple dNSNames?

       

      Regards  Alexander

      Author's profile photo Former Member
      Former Member

      It is not true that it is not possible to include SANs in the PKCS#10 request created out of STRUST. Prerequisite is to install a CommonCryptoLib minimum 8.4.42

      See for detail SAP note 2209439 point 4.

       

      For STRUST managed PSEs this is the way to go:

      *****

      Add your subjectAlternativeName of type DNSName by placing a string "DNS=<fqdn1>:<fqdn2>...," at the beginning of the DN field in the Revise DN dialog. Only in case the 255 character DN limitation of STRUST will not allow you to add all required SANs or you need to add SANs for existing key pairs, then use sapgenpse on OS level of the application server to create the certificate requests. With sapgenpse create only certificate requests out of already existing PSEs which were created and distributed to the OS from STRUST. Import also in these cases the certificate responses only with STRUST, not with sapgenpse.

      Cause: It is necessary that all modifying operations on STRUST managed PSEs are done in STRUST only. Otherwise you bypass the automatic key distribution of the database and as result you will lose your manual changes latest with the next instance restart. Hence, whenever you should perform a manual modifying action on a STRUST managed PSE you will have to upload and store the modified PSE to STRUST to update the database.

      *****

       

      For all PSEs which are not managed within STRUST, of course, the maintenance with sapgenpse is correct.

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Thanks Uwe.
      I saw that note 2209439 is updated and point 4 contains a warning.

       

      Author's profile photo Former Member
      Former Member

      Hi Cristiano,

      by using the command I'm able to see the subject alternative name. But when the certificate is expiring and I don't want to create again new pse, just want to create request from the pse via command :

      /usr/sap/SID/SYS/exe/run/sapgenpse gen_pse -p /usr/sap/SID/DVEBMGS<IN>/sec/SAPSSLS.pse -r /usr/sap/SID/DVEBMGS<IN>/sec/name.csr -onlyreq.

      the csr file doesn't contain subject alternative name.

      Do you have any idea

      Viktor

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Viktor,

       

      Please use STRUST. You can follow the new document (2478769) that mention the steps to use STRUST.

       

      Thank you,

      Cris

      Author's profile photo Former Member
      Former Member

      Hi Cris,

      thank you for your answer. What about java portals? I created new pse file from os level, get signed and imported the response. But when I generate new csr request from NWA it doesn't contain subject alternative name.

      Could you please advise?

      Thanks

      Viktor

       

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Viktor,

       

      Please submit your question via support incident  (or expert chat), under BC-JAS-SEC component.

      The experts in Portal security should be able to point you in the right path to have it done via NWA.

       

      Kind regards,

      Cris