Since version 58, Google Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN).  By default an SAP NetWeaver Application Server does not generate certificates with SAN attribute. Users therefore receive an error message, like this one:



 

SAP Note 2209439 briefly describes the generation of a certificate with SAN attribute. I would like to describe the procedure somewhat more precisely with this blog article.


 

First you have to check the Installed SAPCryptoLib version. This is done with the ABAP report SSF02 (transaction SA38). You must have a version greater than 8.4.42.




 

Next, create a new certificate.This can be done with transaction STRUST.

 





 

To get a certificate with Subject Alternative Name (SAN), you must now enter DNS=<FQDN> at the beginning of the DN field:



You can specify multiple server names separated by colon ":".

 

Then you should have a certificate with DNS tag:




 

To sign the new certificate, create a CSR in the usual way.



 

A look at the decoded CSR (https://www.sslshopper.com/csr-decoder.html) shows the SAN attribute:



 

The DNS attribute is inserted twice for a server name. But that should not confuse you. It still works.

After you install the signed certificate, Chrome also accepts the secured connection again.