Skip to Content
Author's profile photo Nils Knieling

Fix Chrome “missing_subjectAltName” error with SAP NetWeaver Application Server ABAP

Since version 58, Google Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN).  By default an SAP NetWeaver Application Server does not generate certificates with SAN attribute. Users therefore receive an error message, like this one:

 

SAP Note 2209439 briefly describes the generation of a certificate with SAN attribute. I would like to describe the procedure somewhat more precisely with this blog article.

 

First you have to check the Installed SAPCryptoLib version. This is done with the ABAP report SSF02 (transaction SA38). You must have a version greater than 8.4.42.

 

Next, create a new certificate.This can be done with transaction STRUST.

 

 

To get a certificate with Subject Alternative Name (SAN), you must now enter DNS=<FQDN> at the beginning of the DN field:

You can specify multiple server names separated by colon “:”.

 

Then you should have a certificate with DNS tag:

 

To sign the new certificate, create a CSR in the usual way.

 

A look at the decoded CSR (https://www.sslshopper.com/csr-decoder.html) shows the SAN attribute:

 

The DNS attribute is inserted twice for a server name. But that should not confuse you. It still works.

After you install the signed certificate, Chrome also accepts the secured connection again.

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Derbal Billel
      Derbal Billel

      Great article, Thanks a lot !

      Author's profile photo Jayesh Kothari
      Jayesh Kothari

      thanks for sharing!

      Author's profile photo Patrick Bode
      Patrick Bode

      Thanks Nils! 😉

      Author's profile photo Tomas Lindberg
      Tomas Lindberg

       

      Thanks Nils, I have the exact same issue but for a Java NW Portal. Would you happend to know how this is applicable in the SSL configuration of the NWA? There is an option to add SubjectAltName but this doesn't seem to work for me.

      After I have filled thiese entries, and imported CSR Response, I still get the warning in Chrome.

      Author's profile photo Daniel Masaladzic
      Daniel Masaladzic

      Hello Tomas,

      maybe SNOTE "2488621 - Create certificate with SAN Attribute outside of NWA" can help you here?

      Regards

      Daniel

       

      Author's profile photo Armaghan Shahzad
      Armaghan Shahzad

      Hi Tomas,

      Did you manage to get the solution?

       

      Regards

      Armaghan

      Author's profile photo Basis Team
      Basis Team

      It worked. Thanks a lot for detailed steps.