Fix Chrome “missing_subjectAltName” error with SAP NetWeaver Application Server ABAP
Since version 58, Google Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN). By default an SAP NetWeaver Application Server does not generate certificates with SAN attribute. Users therefore receive an error message, like this one:
SAP Note 2209439 briefly describes the generation of a certificate with SAN attribute. I would like to describe the procedure somewhat more precisely with this blog article.
First you have to check the Installed SAPCryptoLib version. This is done with the ABAP report SSF02 (transaction SA38). You must have a version greater than 8.4.42.
Next, create a new certificate.This can be done with transaction STRUST.
To get a certificate with Subject Alternative Name (SAN), you must now enter DNS=<FQDN> at the beginning of the DN field:
You can specify multiple server names separated by colon “:”.
Then you should have a certificate with DNS tag:
To sign the new certificate, create a CSR in the usual way.
A look at the decoded CSR (https://www.sslshopper.com/csr-decoder.html) shows the SAN attribute:
The DNS attribute is inserted twice for a server name. But that should not confuse you. It still works.
After you install the signed certificate, Chrome also accepts the secured connection again.
Great article, Thanks a lot !
thanks for sharing!
Thanks Nils! 😉
Thanks Nils, I have the exact same issue but for a Java NW Portal. Would you happend to know how this is applicable in the SSL configuration of the NWA? There is an option to add SubjectAltName but this doesn't seem to work for me.
After I have filled thiese entries, and imported CSR Response, I still get the warning in Chrome.
Hello Tomas,
maybe SNOTE "2488621 - Create certificate with SAN Attribute outside of NWA" can help you here?
Regards
Daniel
Hi Tomas,
Did you manage to get the solution?
Regards
Armaghan
It worked. Thanks a lot for detailed steps.