Overview:

Many a times it is seen that when SSL certificate of a server is expired or when new application servers are introduced in landscape, we need to share Certificate Signing request (CSR) with Certificate Authority (CA).

Method generally used is to create CSR form SSL Server Standard pse of STRUST and share with CA but sometime below error appears at CA side CSR doesn’t conform to policy and new CSR must be generated or pse error while importing.

So, today I’ll discuss how to use STRUST’s replacement wizard to generate, share new CSR with CA and import back the response.

Pre-requisite:

A valid use with access to STRUST tcode with change authorizations.

In order to make use of the Replacement Wizard tool, the system must have the corrections of SAP Note 2414090 - STRUST wizard to replace existing key pairs. This requires a minimum of:

Process:

To fix the above reported error at CA side there are two ways:

• Delete existing PSE and recreate SSL standard pse to generate CSR – which is not a recommended approach in productive scenarios
• So, the recommended option would be to use STRUST’s replacement wizard. Advantage of this method is that it’ll create a new certificate key pair without disturbing existing one and can be used to add additional Subject Alternative Names (SAN) too when new application servers are added. Until the existing one is replaced with new response, existing pse will remain intact and continue to work if not expired.

STRUST > Go to change mode > Right click SSL Server Standard> Replacement Wizard

This will launch replacement wizard:

Step1: Confirm on DN, change if needed, in this step you also have option to add multiple new SANs or delete the non-required ones as well

Step2: Confirm on Algorithm

Step 3: Confirm to create key pair with details shown on screen like CN & SAN

Step 4: CSR is generated, this can be copied in a plain text and should be shared with CA

When CA confirms that CSR is signed and ready to import, comeback to SSL Server standard replacement wizard.

Beauty of replacement wizard is that it knows a CSR was generated previously and when you relaunch it will take you directly to next step.

Step5: Import certificate request, it can be either PKCS#7 file or pem file containing all root & intermediate CA certificates

Step6: if certificate is good and no errors reported then it’s ready to use, click activate New Key Pair and Certificate

And in last you will get a wizard completion confirmation.

Once certificate is imported here, go back to SSL server standard pse and verify the details like expiry date and SAN names you added in first step.

Don’t forget to share the new SSL certificate with the system interacting over HTTPS with your system.

Check below notes to get more information on STRUST & SSL :

2414090 - STRUST wizard to replace existing key pairs - SAP for Me

2985997 - Explanation of components below BC-SEC - SAP for Me 

Thanks!!

Sumit