Use Let’s Encrypt certificate in STRUST
I work only occasionally with transaction STRUST. And I always have to bend my mind around this poor UI: After a few minutes of frantic clicking and typing I usually reach my goal – and immediately forget how I did it…
Today a colleague asked how to import SSL certificates into a SAP system. As I have an IDES system around on a host with a valid LE certificate I seized the opportunity to document the steps properly.
Package the Let’s Encrypt certificate
As root user change to the directory holding the active LE certificate and the corresponding key (below was tested on a Redhat system):
# cd /etc/letsencrypt/live/mydomain.com
Therein you will find four softlinked PEM files:
# ls -1 *.pem
From these create a PKCS#12 file secured by a password you specify:
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out mydomain.pfx Enter Export Password: Verifying - Enter Export Password:
“mydomain.pfx” is the resulting PKCS#12 file. It contains the LE certificate and the private key. This way we can move the certificate data in moderately safe way.
Import into SAP system
Now let us import the PFX file via STRUST:
- Make the PFX file available to SAPGUI. Access it from a common share or download the PFX file to your workstation.
- Enter transaction STRUST and switch from display to change mode.
- Then click on the “File” entry in the tree on the left hand side.
- A file selection dialog pops up where you can select the file “mydomain.pfx” created above.
- When asked enter the password you specified above.
In my case there was a red error sign noting that a certificate was missing from the chain:
Googling the CN points to the Let’s Encrypt site where the missing certificate can be downloaded:
Store the certificate in the same directory as the PFX file and import it from within the dialog box with the marked button on the right hand side. After that you should be back in STRUST.
As a result you will see the imported LE certificate of your domain on the right hand side:
Now the thing I always fail to recall… From the STRUST menu select: PSE -> Save As
In the dialog select SSL Server. Now the LE certificate shows up as system wide SSL certificate.
Please note: As I did not create a certificate request and I have imported the certificate and key in one go there is no need to create a temporary PSE to bridge the time until the request is signed.
Instance specific certificates
There might still be instance specific certificates which are not signed. Those will get precedence over the server side certificate just installed. Unless you really need them for a specific reason just delete them:
- Right-click on “SSL Server Standard” and select “Change”
- Mark all instance specific entries in the table and hit the delete button on the lower right.
To verify that SSL works I usually use the browser on my workstation or notebook. In case of lacking name resolution, restrictive firewalls or other nuisances I tend to check the SSL connection with curl on the host running the application server. If the certificate is not correct curl will issue something like this:
# curl https://mydomain.com:9020
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
If curl returns HTML code starting with a DOCTYPE tag we are fine:
# curl https://mydomain.com:9020
<!DOCTYPE html PUBLIC"-//W3C//DTD HTML 4.01Transitional//EN"><html><head><title>Logon Error Message</title><META http-equiv="Content-Type" content="text/html;charset=UTF-8">...
The above should show you an easy way to get acquainted with the handling of SSL server certificates in STRUST. In earlier times this was difficult: SAP systems where you could get hold of a valid certificate just to train yourself were hard to come by. Either you had to spend some serious cash to buy a certificate or internal guidelines did not allow to get one for mere training purposes. Or both.
But these days LE certificates are free! An IDES system or some other training system is often available. So finally it is feasible to set up an environment where you can practice without fear of causing major breakage.