Providing OpenSSL certificates for domains defined in HANA XSA
In my previous blog, Tips & tricks for an optimized HANA 2.0, express edition installation on an Intel 6th generation NUC, I mention SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model and show the provisioning command, but do not go into much detail.
In this blog, I would therefore like to share a bit more insight. There are of course many CA tools, but I am using EJBCA.
To start with, I create a server certificate for my HANA XSA system as usual:
This provides me with two crucial files:
- hxehost.dyndns.org.p12 (private key – Download to Firefox)
- hxehost.dyndns.org.pem (host certificate – Download PEM file)
Per SAP Note 2243019 – Providing SSL certificates for domains defined in SAP HANA extended application services, advanced model however, I need the complete chain of X.509 PEM-encoded certificates. Therefore, I download the CA certificate as PEM:
Unfortunately, these certificates are not in the format required yet. Therefore I am converting them per How to convert a certificate into the appropriate format.
Convert the key file into an unencrypted RSA private key in PKCS8 format encoded as PEM:
C:\openssl-1.0.2k-x64_86-win64>openssl pkcs12 -in hxehost.dyndns.org.p12 -nocerts -nodes -out hxehost.dyndns.org-key.pem
Enter Import Password:
MAC verified OK
C:\openssl-1.0.2k-x64_86-win64>openSSL pkcs8 -in hxehost.dyndns.org-key.pem -topk8 -nocrypt -out hxehost.dyndns.org-key.pk8
Combine the host certificate and CA certificate so that the certificate-chain file includes the complete chain of X.509 PEM-encoded certificates, and the order of the certificates must ensure that a signed certificate is always followed by the signing certificate. In other words, put the root certificate last:
C:\openssl-1.0.2k-x64_86-win64>copy hxehost.dyndns.org.pem + compriseitcom.pem hxehost.dyndns.org-cert.pem
hxehost.dyndns.org.pem
compriseitcom.pem
1 file(s) copied.
Finally, I use the SAP HANA XS advanced command-line client to upload my custom certificates for my domain:
C:\XS_CLIENT00P_46-70001792\bin>xs set-certificate hxehost.dyndns.org -k \openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-key.pk8 -c
\openssl-1.0.2k-x64_86-win64\hxehost.dyndns.org-cert.pem
Setting SSL certificate for domain hxehost.dyndns.org as xsa_admin...
OK
TIP: Restart the SAP XS Controller to ensure your changes take effect for all applications.
Alternatively use 'xs restage' and 'xs restart' for all applications.
After a restart, I got a Secure Connection to all my HANA XSA services for this domain:
This might have looked a bit tedious to start with, but now you got it. Well done.
Hi Frank -
Nice document, can you please explain how to create the below certs.
Gokul
Hi Gokul,
did you find an answer to your question?
Regards,
vahid
Hello Gokul,
As mentioned in my blog, there are of course many CA tools, but I am using EJBCA:
Best regards
Frank
Hi, Frank
I am trying to fix the SSL not trusted error on the Hana cockpit 2.0. Hana cockpit is xsa apps, I believe. How do you download the PEM and private key from the XSA server? I suppose you need to create a cert request and sign it with a CA authority just like the usual process?
Thanks, Jonathan.
So after hitting my head against a wall all day, it looks like there’s a bug if your certificate chain is longer than 3. Leaving this hear so maybe others don’t waste too much time. PS I’m on HANA Express 2.0 SP03 Rev 31.
https://launchpad.support.sap.com/#/notes/2666262
Got it working. Key phrase in note https://launchpad.support.sap.com/#/notes/2666262
Hi Frank
In the First set of openssl transformations where you converted p12 file to pkcs12 with extension .pem why is it needed ?
then .pem to pkcs8 format actually after i did the above then imported the *.pk8 file intoi browsers like Firefox or Chrome gave me errors
I could import the p12 file as it is into browsers Firefox plus Chrome ?
Iam using ejbca with jboss on Ubuntu linux (as a windows sub system in windows 10 prof) so may be that is why while your commands are using windows open ssl version may be that is why so that means ejbca + jboss is on windows os for you correct
thanks
rama anne