Skip to Content
Product Information

Use a Let’s Encrypt certificate for SAP HANA or SAP NetWeaver AS ABAP

You’re running SAP HANA Express Edition in one of the cloud providers like AWS, Azure or Google Cloud Platform? Or you run an NetWeaver AS ABAP Developer Edition or a SAP Cloud Appliance Library instance? Then I think you’re familiar with this warning message of your browser:

I want to show you how you can get rid of this security warning. Below you will find how you can use a free Let’s Encrypt certificate for your SAP HANA or SAP NetWeaver Applicaiton Server ABAP. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). And not only it is free, it is trusted in all current Browsers.

These are the basic steps to use a Let’s Encrypt certificate:

  • Make sure your server is accessible with a public DNS entry
  • Check firewall settings and open port 80 (http) from external
  • Create certificate signing request (CSR) in SAP HANA or AS ABAP
  • Install letsencrypt-nosudo using git or copy via scp
  • Run letsencrypt-nosudo to get the CSR signed
  • Import the certificate in SAP HANA or AS ABAP

Public DNS entry for your system

When you’re on Microsoft Azure you can very easily get a DNS entry when you open the Public IP address configuration of your machine. There you can set a DNS name label which will then be the systems hostname. The fully qualified domain name (FQDN) consists of the DNS name label and the long name below ending with .cloudapp.azure.com:

Open firewall on port 80

As the Let’s Encrypt domain validation will be done via a http request on port 80 you have to open this port on the firewall.

Install letsencrypt-nosudo

Login to your server and clone the letsencrypt-nosudo repository with the following command:

git clone https://github.com/diafygi/acme-nosudo.git

after the repository is cloned switch into the subfolder that was created:

cd acme-nosudo

Create certificate signing request (CSR)

For HANA and ABAP you have store the CSR as domain.csr in the acme-nosudo folder on the server where you’ve installed letsencrypt-nosudo.

HANA

Follow the description Configure HTTPS (SSL) for Client Application Access.

ABAP

Please follow the detailed description at Enabling SSL (HTTPS) on SAP Gateway.

Run letsencrypt-nosudo to get the CSR signed

Please follow the detailed description at How to use the signing script to get the CSR signed.

Import the certificate in SAP HANA or AS ABAP

As the final step follow the instructions linked above for the CSR creation to import the certificate that you’ve got from Let’s Encrypt. Before you can import your own certificate you need to import the Let’s Encrypt signing certificate and the ISRG Root OCSP X1 root certificate that you can download from https://letsencrypt.org/certificates/. In ABAP you can import them starting with the root certificate in transaction STRUST. For HANA the best way is to copy all certificates into one text file that you import in one go.

3 Comments
You must be Logged on to comment or reply to a post.
    • Hi Christian,

      Fist I’ve checked if it would be possible to implement an ACME client in ABAP. But as the challenges must be placed directly under the server root that wasn’t an option. I’ve tried also modifying the PSE for the SSL server directly. But that results in an inconsistency with the PSE in STRUST that is stored in the DB. I think the approach by Jakub Filak in his python script sap_add_trusted_server_cert might be a good start to automate it. Maybe you can give it a try.

      Best regards
      Gregor