How to create SAP server pse with Let’s Encrypt cert inside
There are already several articles on how you can create Let’s encrypt cert for your SAP system. What I was able to find are either very long and complex or with CSR sign approach. Below we will create server wildcard cert in pse with short simple steps with help of the official ACME client – Lego and DNS-01 challenge.
Step 1 – Get your Let’s Encrypt cert chain.
I assume that Lego client is already downloaded according to the official instructions. We will use DNS-01 challenge to confirm our DNS record (Lego Client also supports other types if you wish). More details can be found here
Execute lego command (example below):
./lego --email="firstname.lastname@example.org" --domains="*.dev.wooo.dem.rap" -dns="manual" run
this will generate for you DNS-01 ACME challenge and execution will pause until you update your DNS record with TEXT field. Once it is done you can hit next and after challenge is verified you will receive your cert chain, that will consists of the following objects:
- _.dev.wooo.dem.rap.crt is the server certificate (including the CA certificate)
- _.dev.wooo.dem.rap.key is the private key needed for the server certificate
- _.dev.wooo.dem.rap.issuer.crt is the CA certificate
- _.dev.wooo.dem.rap.json contains some JSON encoded meta information.
Step 2 – Generate pfx archive with openssl client
A .pfx file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.
Execute the following command line:
openssl pkcs12 -export -out certificate_wide.pfx -inkey _.dev.wooo.dem.rap.key -in _.dev.wooo.dem.rap.crt -certfile _.dev.wooo.dem.rap.crt
This will create for you certificate_wide.pfx file
Step 3 – Get Let’s encrypt root certificate
Before you can create your pse storage, you need also to download let’s encrypt root certificate either from browser or with openssl:
openssl s_client -showcerts -verify 5 -connect letsencrypt.org:443 < /dev/null
Step 4 – Generate SAP PSE file
Now you can create your server PSE pout of this pfx archive:
sapgenpse import_p12 -r _.dev.wooo.dem.rap.crt -r letsEncryptRoot.crt -p SAPSSLS.pse certificate_wide.pfx
This will create for you SAPSSLS.pse that can be used with SAP Web Dispatcher or SAP ABAP\JAVA instances, or any other place where pse format is used 🙂
Step 5 – Apply pse for the system
As an example we will use this PSE for the ABAP system.
The only thing that is required (steps):
P.S. For the Web Dispatcher it even easier. We just need to copy this pse with correct permissions to the /usr/sap/<SID>/W<InstNumber>/sec folder and restart the Web Dispatcher.
This is one of the most simple and straight forward way to request an Let’s encrypt certificate. This one will live for 90 days. So you need to renew you certs later on.
P.P.S. Lego tool available in container, and it can be integrated with quite a lot of DNS service providers, so the whole process can be automated via CI server for example.