Resolve annoying self-signed SSL certificate issue...

albanleong · ‎06-04-2021

TL;DR: Resolve the ERR_CERT_AUTHORITY_INVALID issue on browsers with https using self-signed SSL certificate by generating your own local root CA (Certificate Authority) using OpenSSL on Windows/MacOS for ABAP 1909 Developer Edition for local development.

I'll share in a few simple steps, how I was able to generate my own local root CA with OpenSSL and use that to sign the SSL certificate that comes delivered in ABAP 1909 Developer Edition (CN=*.dummy.nodomain) to get rid of the annoying browser warning messages when accessing any URLs served through HTTPS on this local ABAP development environment.

Basically, we go from this....

Annoying browser error and SSL status that says Not secure

to this on Safari in MacOS or Chrome in Windows....

Ahhh...much better! A complete, no error valid SSL on a local ABAP dev server

Introduction

The ABAP 1909 Developer Edition comes with a self-signed certificate that will technically serve "secure" HTTPS traffic for local development but browsers and even some API software/tools today frown upon self-signed certificates so much so that they labelled it as "Not secure" or just wouldn't work with it - I am really over simplifying the reason here...

While looking around for some ideas, I came across this page on Let's Encrypt's website - https://letsencrypt.org/docs/certificates-for-localhost/ where it says and I quote below...

The best option: Generate your own certificate, either self-signed or signed by a local root, and trust it in your operating system’s trust store. Then use that certificate in your local web server.

So, first of all, we already have our own certificate that's self-signed on the local ABAP server - what's missing is just

Generating the local root CA using OpenSSL

Trust the local root CA it in Windows / MacOS.

Add the local root CA into SAP using transaction STRUST

And then finally, use OpenSSL again to sign the SSL certificate that's already on the ABAP server and import the certificate response back to the ABAP server.

4 simple steps - Let's get to it!

Prerequisite - You will need OpenSSL

You can get OpenSSL for Windows here - https://slproweb.com/products/Win32OpenSSL.html and I downloaded the Win64 version for my Windows 10 machine.

For MacOS - you simply need to run the following command in terminal.

brew install openssl

#or#

brew upgrade openssl

Step 1 - Generate Local Certificate Authority with OpenSSL - 2mins

If you refer to Let's Encrypt's page above, it mentioned that you could use minica as a local root CA to sign and issue your certificates and it would be valid for 2 years and 30 days. This feels a little overkill for my use case of just trying to sign a single SSL for the ABAP server so, I opted for a complete manual way with OpenSSL - and it only takes 2 simple command.

The first command is to create a private key that is 2048 bits long and this will prompt you to enter a password to create the key file. I entered something simple like '12345' as the password.

openssl genrsa -des3 -out rootCA.key 2048

And with that private key generated, we will now use it to generate the root certificate using the following command below. You will be prompted to enter the password that you've created for the key in the step above and also enter some basic information for the local CA.

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 9999  -out rootCA.pem

That's it! We now have a local root CA (called ALBAN LOCAL CA - in my example above) certificate rootCA.pem that we can now use in the next step to trust it in Windows / MacOS and also in Step 3, to save it into our ABAP server as a Root CA.

Step 2 - Trust the local root CA in Windows / MacOS - 3 mins

Here are the steps for adding the local root CA to Windows.

Step 2.1 (Windows)

2.1 (Windows) - Click on Start and Run > mmc

Step 2.2 (Windows)

2.2 (Windows) - Click on "File" > "Add/Remove Snap-in" to add the "Certificates" Snap-in (or Ctrl + M)

Step 2.3 (Windows)

2.3 (Windows) - Select manage certificates for "Computer account" and snap-in will always manage the "Local computer" in the next two prompt windows and click "Finish"

Step 2.4 (Windows)

2.4 (Windows) Double-click on "Trusted Root Certification Authorities" and in the Object Type window - Right-Click on "Certificates" > All Tasks > Import

Step 2.5 (Windows)

2.5 (Windows) - Click "Next" to advance to the next window and select the local root CA certificate "rootCA.pem" file that was generated earlier.

Step 2.6 (Windows)

2.6 (Windows) - Click "Next" again till you get to the end and save the certificate in "Trusted Root Certification Authorities".

2.7 (Windows) - Repeat step 4 - 6 above but this time, import the certificate into "Personal" > "Certificates" folder.

Here are the steps for adding the local root CA to MacOS and trust it.

Step 2.1 (Mac)

2.1 (Mac) - Run Keychain Access in Spotlight (Cmd + Space)

Step 2.2 (Mac)

2.2 (Mac) - Drag and drop the "rootCA.pem" file into the "System" keychain

Step 2.3 (Mac)

2.3 (Mac) - You should now see that the Certificate has been added but by default, it is still not trusted.

Step 2.4 (Mac)

2.4 (Mac) - Double-click on the certificate and in the "Trusted" section, change the drop-down to "Always Trust". This should then change all the other options below down to "Always Trust" as well.

Step 2.5 (Mac)

2.5 (Mac) - Close the window and now, it should show that the local root CA certificate is now trusted!

Step 3 - Add the local root CA to ABAP server (STRUST) - 5 mins

Now, we head into the ABAP server and add the local root CA certificate (rootCA.pem) in transaction STRUST. We have to first import the certificate, add it to the certificate list and then export the certificate as a Trust CA into the database table VSTRUSTCERT.

Step 3.1 (STRUST)

3.1 - Double click on "SSL client SSL Client (Standard)" folder and click on "Change".

Step 3.2 (STRUST)

3.2 - Import the certificate by selecting "Certificate" > "Import".

Step 3.3 (STRUST)

3.3 - Browse or enter the path to the "rootCA.pem" certificate file and click on the green tick.

Step 3.4 (STRUST)

3.4 - You should see the certificate details in the lower screen and click on the button "Add to Certificate List" (VERY IMPORTANT STEP). If the "Add to Certificate List" button is not active, means you're still not in Change mode.

Step 3.5 (STRUST)

3.5 - With the newly added local root CA certificate still selected, we now export this to the database as a Root CA by selecting "Certificate" > "Export".

Step 3.6 (STRUST)

3.6 - Click over to the "Database" tab and fill in the Trust Center, select Root CA as the Category and enter a Description. Make sure to prefix the Trust Center naming with a "Z". Click the green tick and you should get a success message that says "Certificate saved in database". This would then automatically create a new entry in the table VSTRUSTCERT. You can validate this by selecting "Certificate" > "Database" and you should see the newly created Root CA in the table.

Step 4 - Create a Certificate Signing Request, sign existing SSL cert in ABAP server with the local root CA and import the certificate response back into ABAP server - 5 mins

This are the last few remaining steps in transaction STRUST and also one more OpenSSL command. We're almost there... I promise.

Step 4.1 (STRUST)

4.1 - In STRUST - Double-click on "SSL server Standard" folder and click on the button "Create certificate request". Here, select SHA256 as the algorithm and also enter "*.dummy.nodomain" in the Alternative Owner Name (SAN) table.

Step 4.2 (STRUST)

4.2 - Save the certificate request as a local file and name it "server.csr" and save it in the same folder as the local root CA key and certificate.

Step 4.3 (EXT file)

4.3 - Now, in order to have a certificate that meets today's SSL standard, we will need to include in the certificate the Subject Alternative Names (SAN). To do this, using Notepad, create a file called “v3.ext” and enter the following into the file and SAVE it.

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names



[alt_names]

DNS.1 = *.dummy.nodomain

DNS.2 = vhcala4hci

Step 4.4 (OpenSSL)

4.4 - Using OpenSSL again, we run the following command to finally sign and issue a new SSL certificate (server.crt) using all the other files that we've generated so far. You will be prompted again for the password for the local root CA key.

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 999 -sha256 -extfile v3.ext

Step 4.5 (STRUST)

4.5 - Last and final step - in STRUST transaction, we import the signed certificate response (server.crt) file back into the ABAP server and remember to hit that "SAVE" button. You should see a success message that says "SSL PSE was saved!".

And we're DONE!

Our ABAP 1909 Developer Edition server is now capable of serving valid HTTPS urls and OData services that browsers and other software/tools will love (limited to your local computer :)). Oh and you don't even need to restart ICM because that's already being taken care of automatically...

ICM has been notified automatically.. w00t!

Hope you've liked this blog post and found it useful!

Note: Although I’m using the ABAP 1909 Developer Edition in this blog post, the steps above should also work for the previous ABAP Developer Editions.

Suggestion, maybe next time in the future, SAP can perhaps deliver the ABAP Dev Edition server along with a local root CA certificate (rootCA.PEM) and the SSL that’s signed with it. That way, we only need to do Step 2 of trusting the local root CA in the process above. Wishful/Hopeful thinking!

gregorw · ‎06-04-2021

Do you know https://github.com/FiloSottile/mkcert? This makes self signed certificates straight forward.

albanleong · ‎06-04-2021

Nice... thanks for the tip and nope, wasn't aware of this!

And looking at this neat utility, it will simplify my steps above especially step 1 (gen local CA) and 2 (trust local CA in OS) but we'll still need to manually perform step 3 (add local CA to SAP) and step 4 (sign cert from a CSR and then import the cert response back into SAP). Also - I think that the sequence would somewhat be different since we need the CSR from the ABAP server to execute mkcert. But, it is really cool as I can see that it works for so many different OS as well as taking SAN and Apple's requirement of the SSL into consideration. Very neat Go code!

What I was really trying to show above is that the process is really rather simple with OpenSSL and document the understanding of the relationship between the local root CA and the self-signed cert throughout the process.

Former Member · ‎06-05-2021

+1 until 'Like' link is back on again

onuorahani49 · ‎06-06-2021

Good work, thanks

UxKjaer · ‎06-06-2021

You could also consider the steps provided here https://youtu.be/k9ET6clRjG8

This will give you an ssl certificate valid for 6 months available on all devices.

albanleong · ‎06-06-2021

Nice video Jakob.

Yes, if you own a valid public domain name, then it’d be certainly possible/beneficial to use that for the ABAP server and you can also sign it for free using services like Let’s Encrypt.

Steps I shared above simply signs the existing SSL that’s delivered on the ABAP server solely for the purpose of local development on your PC or even mobile devices as well. To get it to work on mobile, you just need to import the rootCA.pem to your iOS/Android device and then, it’ll work as long as it’s on the same local network.

yilkba2s · ‎07-11-2021

Hi Jakob,

thanks for the nice video. Tried to do the same but getting an issue during the certificate request: "Validation of the required challenges did not complete successfully. Errors during validation :: : Response received didn't match the challenge's requirements" (see below the detailed log)

I set up a dns-hosting address, retrieving this address also in certify in the dns zone id. Any idea what the cause of this issue is?

2021-07-11 22:30:51.293 +02:00 [INF] ---- Beginning Request [swdd] ----

2021-07-11 22:30:51.293 +02:00 [INF] Certify/5.4.3.0 (Windows; Microsoft Windows NT 10.0.19042.0)

2021-07-11 22:30:51.332 +02:00 [INF] Beginning Certificate Request Process: swdd using ACME Provider:Certes

2021-07-11 22:30:51.332 +02:00 [INF] Requested identifiers to include on certificate: ***.*****.***

2021-07-11 22:30:51.333 +02:00 [INF] Beginning certificate order for requested domains

2021-07-11 22:30:52.875 +02:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2

2021-07-11 22:30:55.852 +02:00 [INF] Created ACME Order: https://api.buypass.com/acme/order/*****MyXeC3FvSimQJXT7YtFLhysU

2021-07-11 22:30:56.137 +02:00 [INF] Fetching Authorizations.

2021-07-11 22:30:57.366 +02:00 [INF] Got http-01 challenge https://api.buypass.com/acme-v02/authz/*****uf3kxTxLi3UjRKxhIOahqgMY/1

2021-07-11 22:30:58.001 +02:00 [INF] Got dns-01 challenge https://api.buypass.com/acme-v02/authz/****uf3kxTxLi3UjRKxhIOahqgMY/2

2021-07-11 22:30:58.001 +02:00 [INF] Attempting Domain Validation: ***.***.***

2021-07-11 22:30:58.001 +02:00 [INF] Registering and Validating ***.***.***

2021-07-11 22:30:58.001 +02:00 [INF] Performing automated challenge responses (****.****.***)

2021-07-11 22:30:58.005 +02:00 [INF] DNS: Creating TXT Record '_acme-challenge.****.***.***' with value '****7o4UwvqKMQS6hc9lfoOW42-dzIFH2E', in Zone Id '****.***' using API provider 'GoDaddy DNS API'

2021-07-11 22:30:59.250 +02:00 [INF] DNS: GoDaddy DNS API :: DNS record added.

2021-07-11 22:30:59.251 +02:00 [INF] Requesting Validation: ***.***.***

2021-07-11 22:33:00.700 +02:00 [INF] Attempting Challenge Response Validation for Domain: ****.***.***

2021-07-11 22:33:00.700 +02:00 [INF] Registering and Validating ****.***.***

2021-07-11 22:33:00.700 +02:00 [INF] Checking automated challenge response for Domain: ****.***.***

2021-07-11 22:33:08.504 +02:00 [INF] Errors during validation ::  : Response received didn't match the challenge's requirements

2021-07-11 22:33:10.516 +02:00 [INF] DNS: Deleting TXT Record '_acme-challenge.****.*****.***', in Zone Id '*****.***' using API provider 'GoDaddy DNS API'

2021-07-11 22:33:11.123 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements

2021-07-11 22:33:11.124 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements

2021-07-11 22:33:11.124 +02:00 [INF] Performing Post-Request (Deployment) Tasks..

2021-07-11 22:33:11.124 +02:00 [INF] Task [Export Certificate] :: Task is enabled but will not run because primary request unsuccessful.

2021-07-11 22:33:11.124 +02:00 [INF] Export Certificate :: Task is enabled but will not run because primary request unsuccessful.

2021-07-11 22:33:11.124 +02:00 [INF] Validation of the required challenges did not complete successfully. Errors during validation ::  : Response received didn't match the challenge's requirements

daniel_kosfeld2 · ‎11-30-2021

Very helpful and detailed blog. Thanks, Alban!

albanleong · ‎11-30-2021

Thanks daniel_kosfeld for leaving a comment! Glad you found it helpful!

avaronos · ‎01-12-2022

Thank you very much Alban, for the detailed explanation!

We followed all steps successfully and we also restarted the system. However Safari (we just tested) doesn't accept the certificate. Do you think we did something wrong, or maybe the SAN standard has changed in between?

albanleong · ‎01-12-2022

That is odd indeed - Is it just Safari that's not working? I've not tried it recently but I'd highly doubt a change in the SAN standard to be the cause.

Anyway, a couple of things comes to mind that's worth checking out...
1. Is Safari configured to use a proxy for Internet? If yes, try it without the proxy.
2. If all browsers are affected (not just Safari), check the host file of the system and perhaps it's configured to go to a different address/domain prefix.

Hope that helps!

former_member114082 · ‎06-16-2022

Alban , does it work on SAP ERP 6.0 EHP4?

sergiorecasens · ‎07-24-2023

Thank you for the blog, it worked successfully!

allen_wang · ‎08-01-2023

The system cannot be accessed after following the steps.What causes it?

axel_moschuering · ‎09-12-2023

Hi Alban, hi all,

thank you for the excellent blog. I followed your instructions and now there is no longer the Certificate error, when calling "Sap FIORI Launchpad" from the SAP GUI for example...

so far, so good

BUT: If I try to call a preview of a SAP FIORI Service Binding in Eclipse, I get an "NET::ERR_CERT_INVALID" Certificate error stating the certificate is invalid. I can not even "force" the browser to proceed.

Strangely, if I copy the complete URL into the browser-window, which was opened when calling SAP FIORI Lauchpad from the SAP GUI everything works ok.

I noticed that my generated URL does not contain the FQDN (i.e. only "vhcala4hci" not "vhcala4hci.dummy.nodomain") if that might be the issue. If it ist, how can I fix this ?

Any ideas ?

What am I doig wrong ?

Thank you in advance,

Axel

"

albanleong · ‎09-12-2023

Hey Axel, can you check to see if you have added "vhcala4hci" into the SAN entry as DNS.2? Also, make sure that your own OS host file is also set up correctly to have that same "vhcalc4hci" entry.

If you look at my screenshot #4 above (Ahhh…much better! A complete, no error valid SSL on a local ABAP dev server) you'll notice that it does not have the FQDN as well and it is just pointing to https://vhcala4hci:50001 and it does work the same.

axel_moschuering · ‎09-13-2023

Hi Alban,

thank you for your quick response.

As far as I can see SAN-entries are present.

I entered it into the V3.ext file as described and if I view the certificate in STRUST the entries seem to be there.

STRUST

At least the "mystery" why certificate check works, if I call it from the SAP GUI could be solved: in SAP GUI configuration HTML control was set to "Internet Explorer" - if I change this to "Chromium", I get the same certificate error. Certificate-Viewer states, that the certificate could not be decrypted.

What exactly do you mean with setup in host file ?

I am using windows and "vhcala4hci" is set to localhost IP (127.0.0.0) - is this correct ?

Best wishes,

Axel

axel_moschuering · ‎09-13-2023

Hi,

it's me again.

I think, I solved it:

In the V3.ext file there were spaces between the DNS-entries and the hostnames.

After removing them:

from DNS.1 = *.dummy.nodomain to DNS.1=*.dummy.nodomain
and DNS.2 = vhcala4hci to DNS.1=*.dummy.nodomain

it works now.

Thank you and best wishes,

Axel

albanleong · ‎09-13-2023

Glad it works for you but sort of weird that spaces caused it because I shared the exact file that worked for me. But it's good to know and thanks for providing the updates so it may help others if they also run into similar issue.

somyali_gupta1 · ‎09-14-2023

Hello Alban,

Thanks for the nice blog.

I followed your steps and everything seems fine as per your screenshot, still I am getting same error "Your connection is not secure". I am clueless, any suggestion from your end to cross verify.

albanleong · ‎09-15-2023

Hey Somyali - thanks for trying out the steps in the blog. However, I have shared in detail on what I believe needs to be done in order to get it to work.

Without more details from you on what you've tried and details around your setup - might be hard to suggest things to verify. Perhaps share some screenshots of all the steps that you've taken (eg: show that the certificate is generated and trusted in Keychain/Certificate root, screenshots of STRUST in SAP?) and I can then maybe help spot if anything is missing?