In one of my last projects I was asked about self signed Certificates with a Subject Alternate Name . As this is a little bit tricky I want to share the results of this.
My Test Setup:
Have downloaded and extracted SAPCryptolib (8.5.21) on my (Windows) Laptop.
Have installed WSL (in my case Ubuntu) installed on my Laptop to get openssl.
After this I can start:
First set the SECUDIR Variable to the Directory where the SAPCryptolib was extracted, e.g.
c:\SAPGENPSE>set SECUDIR=c:\SAPGENPSE
As the next Step create a PSE and CSR that match the needs, e.g.:
sapgenpse gen_pse -p SSLExample.pse -r SSLExample.csr -k GN-dNSName:www.example.com -k GN-dNSName:www.example.net -k GN-dNSName:www.example.org "CN=SelfSigned With SAN, OU=SAP Web AS, O=Example, C=DE"
Then export a p12 file from the PSE to extract later the Certificate and Key with openssl e.g.:
sapgenpse.exe export_p12 -p SSLExample.pse SSLExample.p12
Now switch to the WSL to continue with openssl for signing the CSR.
Then extract the Private Key for sign the CSR e.g.:
openssl pkcs12 -in SSLExample.p12 -nocerts -out SSLExample.key
!! For the Key a password is needed otherwise sign the CSR will fail !!
Also extract the Certificate from the p12 e.g.:
openssl pkcs12 -in SSLExample.p12 -clcerts -nokeys -out SSLExample.pem
Now we have nearly eveything we need:
The CSR, the (private) Key and the Certificate.
But also I need a small Text File (v3.ext) that contain the following:
Now I can sign the Certificate e.g.:
openssl x509 -req -days 730 -sha256 -in SSLExample.csr -CA SSLExample.pem -CAkey SSLExample.key -CAcreateserial -out SSLExample_signed.cer -extfile v3.ext
As it is not supported to import a self signed Certificate into a PSE we need to build a p12 File for import it into our PSE e.g.:
openssl pkcs12 -export -in SSLExample_signed.cer -inkey SSLExample.key -out SSLExample_signed.p12
Now import the p12 File into the PSE e.g.:
sapgenpse.exe import_p12 -p SSLExample.pse SSLExample_signed.p12
Voila, now I have a self signed Certificate with Subject Alternate Names
My Test Setup:
Have downloaded and extracted SAPCryptolib (8.5.21) on my (Windows) Laptop.
Have installed WSL (in my case Ubuntu) installed on my Laptop to get openssl.
After this I can start:
First set the SECUDIR Variable to the Directory where the SAPCryptolib was extracted, e.g.
c:\SAPGENPSE>set SECUDIR=c:\SAPGENPSE
As the next Step create a PSE and CSR that match the needs, e.g.:
sapgenpse gen_pse -p SSLExample.pse -r SSLExample.csr -k GN-dNSName:www.example.com -k GN-dNSName:www.example.net -k GN-dNSName:www.example.org "CN=SelfSigned With SAN, OU=SAP Web AS, O=Example, C=DE"
Then export a p12 file from the PSE to extract later the Certificate and Key with openssl e.g.:
sapgenpse.exe export_p12 -p SSLExample.pse SSLExample.p12
Now switch to the WSL to continue with openssl for signing the CSR.
Then extract the Private Key for sign the CSR e.g.:
openssl pkcs12 -in SSLExample.p12 -nocerts -out SSLExample.key
!! For the Key a password is needed otherwise sign the CSR will fail !!
Also extract the Certificate from the p12 e.g.:
openssl pkcs12 -in SSLExample.p12 -clcerts -nokeys -out SSLExample.pem
Now we have nearly eveything we need:
The CSR, the (private) Key and the Certificate.
But also I need a small Text File (v3.ext) that contain the following:
Now I can sign the Certificate e.g.:
openssl x509 -req -days 730 -sha256 -in SSLExample.csr -CA SSLExample.pem -CAkey SSLExample.key -CAcreateserial -out SSLExample_signed.cer -extfile v3.ext
As it is not supported to import a self signed Certificate into a PSE we need to build a p12 File for import it into our PSE e.g.:
openssl pkcs12 -export -in SSLExample_signed.cer -inkey SSLExample.key -out SSLExample_signed.p12
Now import the p12 File into the PSE e.g.:
sapgenpse.exe import_p12 -p SSLExample.pse SSLExample_signed.p12
Voila, now I have a self signed Certificate with Subject Alternate Names
- SAP Managed Tags:
