Skip to Content
Technical Articles
Author's profile photo Alban Leong

Resolve annoying self-signed SSL certificate issue on ABAP 1909 Developer Edition with your own local CA (Certificate Authority)

TL;DR: Resolve the ERR_CERT_AUTHORITY_INVALID issue on browsers with https using self-signed SSL certificate by generating your own local root CA (Certificate Authority) using OpenSSL on Windows/MacOS for ABAP 1909 Developer Edition for local development.

I’ll share in a few simple steps, how I was able to generate my own local root CA with OpenSSL and use that to sign the SSL certificate that comes delivered in ABAP 1909 Developer Edition (CN=*.dummy.nodomain) to get rid of the annoying browser warning messages when accessing any URLs served through HTTPS on this local ABAP development environment.

Basically, we go from this….Annoying%20browser%20error%20and%20SSL%20status%20that%20says%20Not%20secure

Annoying browser error and SSL status that says Not secure

to this on Safari in MacOS or Chrome in Windows….


Ahhh...%20a%20perfect%2C%20no%20error%20valid%20SSL%20on%20a%20local%20ABAP%20dev%20server

Ahhh…much better! A complete, no error valid SSL on a local ABAP dev server

Introduction

The ABAP 1909 Developer Edition comes with a self-signed certificate that will technically serve “secure” HTTPS traffic for local development but browsers and even some API software/tools today frown upon self-signed certificates so much so that they labelled it as “Not secure” or just wouldn’t work with it – I am really over simplifying the reason here…

While looking around for some ideas, I came across this page on Let’s Encrypt’s website – https://letsencrypt.org/docs/certificates-for-localhost/ where it says and I quote below

The best option: Generate your own certificate, either self-signed or signed by a local root, and trust it in your operating system’s trust store. Then use that certificate in your local web server.

So, first of all, we already have our own certificate that’s self-signed on the local ABAP server – what’s missing is just

  1. Generating the local root CA using OpenSSL
  2. Trust the local root CA it in Windows / MacOS.
  3. Add the local root CA into SAP using transaction STRUST
  4. And then finally, use OpenSSL again to sign the SSL certificate that’s already on the ABAP server and import the certificate response back to the ABAP server.

4 simple steps – Let’s get to it!

Prerequisite – You will need OpenSSL

You can get OpenSSL for Windows here – https://slproweb.com/products/Win32OpenSSL.html and I downloaded the Win64 version for my Windows 10 machine.

For MacOS – you simply need to run the following command in terminal.

brew install openssl
#or#
brew upgrade openssl

Step 1 – Generate Local Certificate Authority with OpenSSL  – 2mins

If you refer to Let’s Encrypt’s page above, it mentioned that you could use minica as a local root CA to sign and issue your certificates and it would be valid for 2 years and 30 days. This feels a little overkill for my use case of just trying to sign a single SSL for the ABAP server so, I opted for a complete manual way with OpenSSL – and it only takes 2 simple command.

The first command is to create a private key that is 2048 bits long and this will prompt you to enter a password to create the key file. I entered something simple like ‘12345’ as the password.

openssl genrsa -des3 -out rootCA.key 2048

And with that private key generated, we will now use it to generate the root certificate using the following command below. You will be prompted to enter the password that you’ve created for the key in the step above and also enter some basic information for the local CA.

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 9999  -out rootCA.pem

That’s it! We now have a local root CA (called ALBAN LOCAL CA – in my example above) certificate  rootCA.pem that we can now use in the next step to trust it in Windows / MacOS and also in Step 3, to save it into our ABAP server as a Root CA.

 

Step 2 – Trust the local root CA in Windows / MacOS – 3 mins

Here are the steps for adding the local root CA to Windows.

Step%202.1%20%28Windows%29

Step 2.1 (Windows)

2.1 (Windows) – Click on Start and Run > mmc

 

Step%202.2%20%28Windows%29

Step 2.2 (Windows)

2.2 (Windows) – Click on “File” > “Add/Remove Snap-in” to add the “Certificates” Snap-in (or Ctrl + M)

 

Step%202.3%20%28Windows%29

Step 2.3 (Windows)

2.3 (Windows) – Select manage certificates for “Computer account” and snap-in will always manage the “Local computer” in the next two prompt windows and click “Finish”

 

Step%202.4%20%28Windows%29

Step 2.4 (Windows)

2.4 (Windows) Double-click on “Trusted Root Certification Authorities” and in the Object Type window – Right-Click on “Certificates” > All Tasks > Import

 

Step%202.5%20%28Windows%29

Step 2.5 (Windows)

2.5 (Windows) – Click “Next” to advance to the next window and select the local root CA certificate “rootCA.pem” file that was generated earlier.

 

Step%202.6%20%28Windows%29

Step 2.6 (Windows)

2.6 (Windows) – Click “Next” again till you get to the end and save the certificate in “Trusted Root Certification Authorities”.

2.7 (Windows) – Repeat step 4 – 6 above but this time, import the certificate into “Personal” > “Certificates” folder.

 

Here are the steps for adding the local root CA to MacOS and trust it.

Step%202.1%20%28Mac%29

Step 2.1 (Mac)

2.1 (Mac) – Run Keychain Access in Spotlight (Cmd + Space)

Step%202.2%20%28Mac%29

Step 2.2 (Mac)

2.2 (Mac) – Drag and drop the “rootCA.pem” file into the “System” keychain

 

Step%202.3%20%28Mac%29

Step 2.3 (Mac)

2.3 (Mac) – You should now see that the Certificate has been added but by default, it is still not trusted.

 

Step%202.4%20%28Mac%29

Step 2.4 (Mac)

2.4 (Mac) – Double-click on the certificate and in the “Trusted” section, change the drop-down to “Always Trust”. This should then change all the other options below down to “Always Trust” as well.

 

Step%202.5%20%28Mac%29

Step 2.5 (Mac)

2.5 (Mac) – Close the window and now, it should show that the local root CA certificate is now trusted!

Step 3 – Add the local root CA to ABAP server (STRUST) – 5 mins

Now, we head into the ABAP server and add the local root CA certificate (rootCA.pem) in transaction STRUST. We have to first import the certificate, add it to the certificate list and then export the certificate as a Trust CA into the database table VSTRUSTCERT.

Step%203.1%20%28STRUST%29

Step 3.1 (STRUST)

3.1 – Double click on “SSL client SSL Client (Standard)” folder and click on “Change”.

 

Step%203.2%20%28STRUST%29

Step 3.2 (STRUST)

3.2 – Import the certificate by selecting “Certificate” > “Import”.

 

Step%203.3%20%28STRUST%29

Step 3.3 (STRUST)

3.3 – Browse or enter the path to the “rootCA.pem” certificate file and click on the green tick.

 

Step%203.4%20%28STRUST%29

Step 3.4 (STRUST)

3.4 – You should see the certificate details in the lower screen and click on the button “Add to Certificate List” (VERY IMPORTANT STEP). If the “Add to Certificate List” button is not active, means you’re still not in Change mode.

Step%203.5%20%28STRUST%29

Step 3.5 (STRUST)

3.5 – With the newly added local root CA certificate still selected, we now export this to the database as a Root CA by selecting “Certificate” > “Export”.

 

Step%203.6%20%28STRUST%29

Step 3.6 (STRUST)

3.6 – Click over to the “Database” tab and fill in the Trust Center, select Root CA as the Category and enter a Description. Make sure to prefix the Trust Center naming with a “Z”. Click the green tick and you should get a success message that says “Certificate saved in database”. This would then automatically create a new entry in the table VSTRUSTCERT. You can validate this by selecting “Certificate” > “Database” and you should see the newly created Root CA in the table.

 

Step 4 – Create a Certificate Signing Request, sign existing SSL cert in ABAP server with the local root CA and import the certificate response back into ABAP server – 5 mins

This are the last few remaining steps in transaction STRUST and also one more OpenSSL command. We’re almost there… I promise.

Step%204.1%20%28STRUST%29

Step 4.1 (STRUST)

4.1 – In STRUST – Double-click on “SSL server Standard” folder and click on the button “Create certificate request”. Here, select SHA256 as the algorithm and also enter “*.dummy.nodomain” in the Alternative Owner Name (SAN) table.

 

Step%204.2%20%28STRUST%29

Step 4.2 (STRUST)

4.2 – Save the certificate request as a local file and name it “server.csr” and save it in the same folder as the local root CA key and certificate.

 

Step 4.3 (EXT file)

4.3 – Now, in order to have a certificate that meets today’s SSL standard, we will need to include in the certificate the Subject Alternative Names (SAN). To do this, using Notepad, create a file called “v3.ext” and enter the following into the file and SAVE it.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.dummy.nodomain​
DNS.2 = vhcala4hci

 

Step%204.4%20%28OpenSSL%29

Step 4.4 (OpenSSL)

4.4 – Using OpenSSL again, we run the following command to finally sign and issue a new SSL certificate (server.crt) using all the other files that we’ve generated so far. You will be prompted again for the password for the local root CA key.

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 999 -sha256 -extfile v3.ext​

 

Step 4.5 (STRUST)

4.5 – Last and final step – in STRUST transaction, we import the signed certificate response (server.crt) file back into the ABAP server and remember to hit that “SAVE” button. You should see a success message that says “SSL PSE was saved!”.

And we’re DONE!

Our ABAP 1909 Developer Edition server is now capable of serving valid HTTPS urls and OData services that browsers and other software/tools will love (limited to your local computer :)). Oh and you don’t even need to restart ICM because that’s already being taken care of automatically…

ICM%20is%20notified..%20w00t%21

ICM has been notified automatically.. w00t!

Hope you’ve liked this blog post and found it useful!

Note: Although I’m using the ABAP 1909 Developer Edition in this blog post, the steps above should also work for the previous ABAP Developer Editions.

Suggestion, maybe next time in the future, SAP can perhaps deliver the ABAP Dev Edition server along with a local root CA certificate (rootCA.PEM) and the SSL that’s signed with it. That way, we only need to do Step 2 of trusting the local root CA in the process above. Wishful/Hopeful thinking!

 

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf

      Do you know https://github.com/FiloSottile/mkcert? This makes self signed certificates straight forward.

      Author's profile photo Alban Leong Bang
      Alban Leong Bang
      Blog Post Author

      Nice... thanks for the tip and nope, wasn't aware of this!

      And looking at this neat utility, it will simplify my steps above especially step 1 (gen local CA) and 2 (trust local CA in OS) but we'll still need to manually perform step 3 (add local CA to SAP) and step 4 (sign cert from a CSR and then import the cert response back into SAP). Also - I think that the sequence would somewhat be different since we need the CSR from the ABAP server to execute mkcert. But, it is really cool as I can see that it works for so many different OS as well as taking SAN and Apple's requirement of the SSL into consideration. Very neat Go code!

      What I was really trying to show above is that the process is really rather simple with OpenSSL and document the understanding of the relationship between the local root CA and the self-signed cert throughout the process. 🙂

      Author's profile photo Gregory Misiorek
      Gregory Misiorek

      +1 until 'Like' link is back on again

      Author's profile photo Onuorah Nwani
      Onuorah Nwani

      Good work, thanks

      Author's profile photo Jakob Marius Kjær
      Jakob Marius Kjær

      You could also consider the steps provided here https://youtu.be/k9ET6clRjG8

      This will give you an ssl certificate valid for 6 months available on all devices.

      Author's profile photo Alban Leong Bang
      Alban Leong Bang
      Blog Post Author

      Nice video Jakob.

      Yes, if you own a valid public domain name, then it’d be certainly possible/beneficial to use that for the ABAP server and you can also sign it for free using services like Let’s Encrypt.

      Steps I shared above simply signs the existing SSL that’s delivered on the ABAP server solely for the purpose of local development on your PC or even mobile devices as well. To get it to work on mobile, you just need to import the rootCA.pem to your iOS/Android device and then, it’ll work as long as it’s on the same local network.

      Author's profile photo Yasin Ilkbahar
      Yasin Ilkbahar

      Hi Jakob,

      thanks for the nice video. Tried to do the same but getting an issue during the certificate request: "Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements"  (see below the detailed log)

      I set up a dns-hosting address, retrieving this address also in certify in the dns zone id. Any idea what the cause of this issue is?

       

      2021-07-11 22:30:51.293 +02:00 [INF] ---- Beginning Request [swdd] ----
      2021-07-11 22:30:51.293 +02:00 [INF] Certify/5.4.3.0 (Windows; Microsoft Windows NT 10.0.19042.0)
      2021-07-11 22:30:51.332 +02:00 [INF] Beginning Certificate Request Process: swdd using ACME Provider:Certes
      2021-07-11 22:30:51.332 +02:00 [INF] Requested identifiers to include on certificate: ***.*****.***
      2021-07-11 22:30:51.333 +02:00 [INF] Beginning certificate order for requested domains
      2021-07-11 22:30:52.875 +02:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
      2021-07-11 22:30:55.852 +02:00 [INF] Created ACME Order: https://api.buypass.com/acme/order/*****MyXeC3FvSimQJXT7YtFLhysU
      2021-07-11 22:30:56.137 +02:00 [INF] Fetching Authorizations.
      2021-07-11 22:30:57.366 +02:00 [INF] Got http-01 challenge https://api.buypass.com/acme-v02/authz/*****uf3kxTxLi3UjRKxhIOahqgMY/1
      2021-07-11 22:30:58.001 +02:00 [INF] Got dns-01 challenge https://api.buypass.com/acme-v02/authz/****uf3kxTxLi3UjRKxhIOahqgMY/2
      2021-07-11 22:30:58.001 +02:00 [INF] Attempting Domain Validation: ***.***.***
      2021-07-11 22:30:58.001 +02:00 [INF] Registering and Validating ***.***.***
      2021-07-11 22:30:58.001 +02:00 [INF] Performing automated challenge responses (****.****.***)
      2021-07-11 22:30:58.005 +02:00 [INF] DNS: Creating TXT Record '_acme-challenge.****.***.***' with value '****7o4UwvqKMQS6hc9lfoOW42-dzIFH2E', in Zone Id '****.***' using API provider 'GoDaddy DNS API'
      2021-07-11 22:30:59.250 +02:00 [INF] DNS: GoDaddy DNS API :: DNS record added.
      2021-07-11 22:30:59.251 +02:00 [INF] Requesting Validation: ***.***.***
      2021-07-11 22:33:00.700 +02:00 [INF] Attempting Challenge Response Validation for Domain: ****.***.***
      2021-07-11 22:33:00.700 +02:00 [INF] Registering and Validating ****.***.***
      2021-07-11 22:33:00.700 +02:00 [INF] Checking automated challenge response for Domain: ****.***.***
      2021-07-11 22:33:08.504 +02:00 [INF] Errors during validation ::  : Response received didn't match the challenge's requirements
      2021-07-11 22:33:10.516 +02:00 [INF] DNS: Deleting TXT Record '_acme-challenge.****.*****.***', in Zone Id '*****.***' using API provider 'GoDaddy DNS API'
      2021-07-11 22:33:11.123 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements
      2021-07-11 22:33:11.124 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements
      2021-07-11 22:33:11.124 +02:00 [INF] Performing Post-Request (Deployment) Tasks..
      2021-07-11 22:33:11.124 +02:00 [INF] Task [Export Certificate] :: Task is enabled but will not run because primary request unsuccessful.
      2021-07-11 22:33:11.124 +02:00 [INF] Export Certificate :: Task is enabled but will not run because primary request unsuccessful.
      2021-07-11 22:33:11.124 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements