Skip to Content

In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model and show the provisioning command, but do not go into much detail.

In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.

To start with, I create a server certificate for my HANA XSA system as usual:

This provides me with two crucial files:

  1. hxehost.dyndns.org.p12 (private key – Download to Firefox)
  2. hxehost.dyndns.org.pem (host certificate – Download PEM file)

Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:

Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.

Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:

C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK

C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8

Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:

C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
        1 file(s) copied.

Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:

C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem

Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.

After a restart, I got a Secure Connection to all my HANA XSA services for this domain:

This might have looked a bit tedious to start with, but now you got it. Well done.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply