3.3 Server Configuration
3.3.3 Certificate Management
This section describes the Certificate Management page of the administration console.
The Certificate Management page allows you to do the following:
Create certificates
View certificates
Export certificates
Import certificates
What I have to do first is making a decision:
Do I want the Secure Login Server to create and manage one or more public key infrastructures, or is there an existing company PKI that is supposed to be used on top.
Both is possible, even a mixture of it. You may want to have one Secure Login Server PKI below your enterprise PKI and two others independently created by Secure Login Server.
However, due to the high flexibility of Secure Login Server, it is no problem to add, replace, or delete PKIs at any time.
Choose the Certificate Management node from the tree in the left-hand pane.
The following page appears:
Figure: Administration Console – Certificate Management
Option Details
PKI Tree One or more tree views of independent PKIs.
One DefaultPKITree named Root CA SAP Security is available here.
Create New Root CA Define a display name for the new PKI and create a top-level Certification Authority (Root CA).
3 Administration
Certificate Information Common Name
Common name of the selected certificate.
Path
File path of the selected certificate file.
Save Password
Password protection status of the selected certificate file.
Mapping to Instance
List of all instances and selections that are supposed to use this user CA. This option is available for user CAs only.
More Details Further details of the X.509 certificate [PKI Information] Displays the name of the PKI structure
[CA Operations] Selects the Certification Authority of a PKI for further management operations.
Issue
Creates a new Certification Authority of this type (USER_CA, SAP_CA or SSL_CA).
Change Password
Changes password of selected CA Remove Password
Removes password of selected CA. A password must be given for each following management operation of this CA.
[Export Certificate] Exports the selected certificate.
Export Type
Chooses the export type for the certificate.
Possible export types: .crt, .p12, .pse or *.jks.
New Password
Defines the password of the exported certificate file. This option is not available if you choose the export type .crt.
[Import New PKI] Imports the key store into the certificate list.
Note: Only PSE files can be imported.
PKI Name
Displays the name of the new PKI the certificate belongs to.
The following special characters are not supported:
~`!@#$%^&*()_-+= }{:"?><,./;'[]\|
[Selection List]
The selection list allows you to associate the type of CA of the certificate. Each type can be associated only once.
Browse
Opens a file browser to select the certificate file.
Open Password
Password that protects the certificate file Save Password
Allows you to save the password in the configuration file.
Create New PKI
Use this function to create a new internal PKI that has its own root CA certificate.
Enter a display name for the new PKI, for example NEW PKI and choose Create New Root CA.
Define the certificate parameters for the new root CA certificate and choose Create.
Entries marked with an asterisk(*) are mandatory.
The new PKI should be available in the PKI tree.
3 Administration
Import New PKI
Use this function to create a new PKI that uses external CA certificates. This way it is also possible to create a PKI without having the issuing root CA stored inside the Secure Login Server.
1. Enter a display name for the new PKI, for example, ImportPKI.
2. Select the type of CA that shall be imported, for example, ROOT_CA.
3. Choose Browse… to open a file browser. Locate and open the PSE file.
4. Enter the password for the PSE file in the field Open Password.
5. As an option, you can choose to save the password.
6. Choose the Import pushbutton to complete.
The imported PKI should be available in the PKI tree.
Create SAP CA Certificate
Use this function to create an SAP CA certificate.
1. Choose on the Root CA certificate in the PKI tree list.
2. Select the certificate type SAP_CA in [CA Operations].
3. Choose on the Issue pushbutton and define the certificate parameters.
Figure: Administration Console – Create SAP CA Certificate Entries marked with an asterisk(*) are mandatory.
Option Details
Create SAP_CA – Subject Information
Common Name*
Enter the common name of the certificate (CN).
Example: SAP CA SAP Security Organization Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department Organization
Enter the company name in this field (O).
Example: Company xyz Locality
Enter the regional information in this field (L).
Example: Walldorf Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
3 Administration
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of the certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of the certificate ends (format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Save Password
If this checkbox is activated, this password is stored.
This means that you do not need to remember the password when editing this certificate at a later date.
Confirm Password*
Confirm the encryption password entered in the field above.
Create SAP Server Certificate
Use this function to create a certificate for the SAP NetWeaver Application Server (AS).
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select in [CA Operations] the certificate type SAP_Server.
3. Choose the Issue pushbutton and define the certificate parameters.
Figure: Administration Console – Create SAP Server Certificate
Entries marked with an asterisk (*) are mandatory.
Option Details
Specify the parameters of the SAP Server Certificate
Common Name*
Enter the common name of the certificate (CN).
Example: SAP SID Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department Organization
Enter the company name in this field (O).
Example: Company xyz Locality
Enter the regional information in this field (L).
Example: Walldorf Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).
Password*
Enter the password for this certificate in this field. The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the password when editing this certificate at a later date.
3 Administration
Create SNC Certificate
Use this function to create a certificate for the SNC connection to SAP NetWeaver Application Server (AS).
Using this certificate the Secure Login Server establishes a secure communication with the SAP NetWeaver AS to verify SAP user credentials.
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select the certificate type SNC_CERT in [CA Operations].
3. Choose the Issue pushbutton and define the certificate parameters.
Figure: Administration Console – Create SNS Certificate Entries marked with an asterisk (*) are mandatory.
Option Details
Create SNC_CERT – Subject Information
Common Name*
Enter the common name of the certificate (CN).
Example: SLSSNC Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department Organization
Enter the company name in this field (O).
Example: Company xyz Locality
Enter the regional information in this field (L).
Example: Walldorf Country
Enter the country abbreviation in this field (C).
Example: DE
Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).
Password*
In this field, you enter the password for this certificate.
The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the password when editing this certificate at a later date.
3 Administration
Create Login Certificate
Use this function to create a login certificate for the Secure Login administration console. The Secure Login Administrator establishes a certificate based login to the Administration
Console.
1. Choose on the SAP_CA certificate in the PKI tree list.
2. Select the certificate type LOGIN_CERT in [CA Operations].
3. Choose the Issue pushbutton and define the certificate parameters.
Figure: Administration Console – Create Login Certificate Entries marked with an asterisk (*) are mandatory.
Option Details
Create LOGIN_CERT – Subject Information
Common Name*
Enter the common name of the certificate (CN).
Example: Username Organizational Unit
Enter the division of the company in this field (OU).
Example: SAP Security Department Organization
Enter the company name in this field (O).
Example: Company xyz Locality
Enter the regional information in this field (L).
Example: Walldorf Country
Enter the country abbreviation in this field (C).
Example: DE (for Germany) Encryption Key Length
Select the encryption key length for the server (512, 1024, 1536, 2048, 3072, or 4096 bits).
Valid From*
Enter the date when the validity of this certificate starts (format: YYYY-MM-DD).
Valid To*
Enter the date when the validity of this certificate ends (format: YYYY-MM-DD).
Password*
In this field you enter the password for this certificate.
The password length is limited to 20 characters.
Confirm Password*
Confirm the encryption password entered in the field above.
Save password to file
If this checkbox is activated, this password is stored.
This means that you do not need to remember the password when editing this certificate at a later date.
Subject Alternative Names (E-mail)*
In order to map a certificate to a user, this field is used. For more information, see section 4.6 Configure SSL Certificate Logon.
Example: LoginCert_Admin
This login certificate needs to be imported into a browser application. Therefore export this certificate in *p12 format and import it to your browser application.
In addition, it is required to assign this login certificate to a user (user mapping). For more information, see section 4.6 Configure SSL Certificate Logon.
3 Administration
Export Certificate
Use this function to export any kind of certificate in the PKI list.
1. Choose on a desired certificate in the PKI tree list, for example Root CA SAP Security.
2. Select the Export Type, for example .pse.
3. Define the password of the exported certificate file.
4. Choose the Export pushbutton to save the file to the desired location.
Option Details
Export Type .pse
Exports the certificate in PSE format.
This file includes all keys and all certificates of the complete certificate chain.
.crt
Exports the public certificate information.
.p12
Exports the certificate in P12 format.
This file includes all keys and all certificates of the complete certificate chain used.
.jks
Exports the certificate in Java Key Store format.
Import Certificate
If a certificate entry in the list is grayed out, it means this certificate is not present. Use the import function to load a new certificate.
1. Choose on a desired certificate in the PKI tree list, for example SAP_CA.
2. Choose Browse… to open a file browser. Locate and open the PSE file.
3. Enter the password for the PSE file in the field Open Password.
4. As an option, you can choose to save the password.
5. Choose the Import pushbutton to complete your import.
Imported certificates need to be part of the PKI structure. A trust relation to an existing root CA certificate, when available, is required.
In case the desired certificate has no trust relation to the root CA certificate, the error message Trust connection cannot be established with ROOT CA appears.