Wednesday, 22 May 2024

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Overview:


Many a times it is seen that when SSL certificate of a server is expired or when new application servers are introduced in landscape, we need to share Certificate Signing request (CSR) with Certificate Authority (CA).

Method generally used is to create CSR form SSL Server Standard pse of STRUST and share with CA but sometime below error appears at CA side CSR doesn’t conform to policy and new CSR must be generated or pse error while importing.

So, today I’ll discuss how to use STRUST’s replacement wizard to generate, share new CSR with CA and import back the response.


Pre-requisite:


A valid use with access to STRUST tcode with change authorizations.

In order to make use of the Replacement Wizard tool, the system must have the corrections of SAP Note 2414090 - STRUST wizard to replace existing key pairs. This requires a minimum of:

SAP_Basis 740 SAPKB74017
SAP_Basis  750  SAPK-75007INSAPBASIS 
SAP_Basis  751  SAPK-75102INSAPBASIS 

Process:


To fix the above reported error at CA side there are two ways:

◉ Delete existing PSE and recreate SSL standard pse to generate CSR – which is not a recommended approach in productive scenarios
◉ So, the recommended option would be to use STRUST’s replacement wizard. Advantage of this method is that it’ll create a new certificate key pair without disturbing existing one and can be used to add additional Subject Alternative Names (SAN) too when new application servers are added. Until the existing one is replaced with new response, existing pse will remain intact and continue to work if not expired.

STRUST > Go to change mode > Right click SSL Server Standard> Replacement Wizard

This will launch replacement wizard:

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Step1: Confirm on DN, change if needed, in this step you also have option to add multiple new SANs or delete the non-required ones as well

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Step2: Confirm on Algorithm

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Step3: Confirm to create key pair with details shown on screen like CN & SAN

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Step4: CSR is generated, this can be copied in a plain text and should be shared with CA

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

When CA confirms that CSR is signed and ready to import, comeback to SSL Server standard replacement wizard.

Beauty of replacement wizard is that it knows a CSR was generated previously and when you relaunch it will take you directly to next step.

Step5: Import certificate request, it can be either PKCS#7 file or pem file containing all root & intermediate CA certificates

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Step6: if certificate is good and no errors reported then it’s ready to use, click activate New Key Pair and Certificate

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

And in last you will get a wizard completion confirmation.

Simple way to renew NW ABAP SSL certificate with STRUST Replacement Wizard

Once certificate is imported here, go back to SSL server standard pse and verify the details like expiry date and SAN names you added in first step.

No comments:

Post a Comment