Our blogs always aim to keep tech stuff simple and your systems safe. A few years ago, Cristiano Hansen, an expert at SAP, shared tips about public certificates. However, with hackers getting smarter, SAP had to up its game. Hence, as businesses want better security and smart automation (RPA), a trusted certificate becomes crucial.

Purpose. 

This blog tells you how to set up a trusted certificate in newer SAP versions. So we shall proceed to break it down step by step.  That means that we shall  include fine-tuning details like the right algorithms and the Subject Alternative Name (SAN). For clarity, the sequential steps to set up a trusted SSL certificate in an SAP ABAP system are illustrated below.

Step 1. 

Open the STRUST tool and look at the “SAP Server Standard”.

trusted SSL certificate

STRUST Manager

Notice that the name here does not match your server’s name. To resolve it, just right-click on “SSL Server Standard” and hit “Replace” and click “Yes” if asked.  In our example below, we’ve got two application servers with SID and Common Name both as KQ3.

trusted SSL certificate

Prompt

Step 2. 

Check that the setting is RSA/2048/SHA256.

trusted SSL certificate

SAN Subject Alternative Name

Adjust names to match their public addresses. Sometimes, another team might give you this name, especially in large corporations.

trusted SSL certificate

External Names

Step 3. 

Save your work, close STRUST, and then open it again.

Step 4. 

Click on the new PSE and pick “Create Certificate Request”.

trusted SSL certificate

Create Certificate Request

Make sure to choose SHA256 here based on current recommendations:

trusted SSL certificate

SHA256

Step 5. 

Add more names for both internal and external web addresses. Due to new rules, both can’t be verified by external groups like Verisign.

After doing this, you’ll get a Certificate Request. Keep it safe and send it to your CA for approval.

Step 6. 

Now, send your data to the team that gives out certificates. Ask for an external one. If looking for free external certificates, check out “Let’s Encrypt”.  For a deeper dive, Zoltan Sekeres’s informative blog is worth perusing.

You’ll get some important files in return. Open them in an editor, like Notepad++, and join the contents.

trusted SSL certificate

Server Certificate

Chain of Root/intermediate Certificates

Step 7. 

It’s time to add this joined file in STRUST.

trusted SSL certificate

Change STRUST Manager

Step 8. 

Import your file, like “SignedCertificateResponse—KQ3.crt”. Be careful to pick the right option for SSL Server.

Change STRUST Manager

Click on Server PSE and Save As:

Change STRUST Manager

Server PSE

Be sure to select the right option below for SSL Server! Easy to Miss!

Change STRUST Manager

SSL Server

Step 9. 

Now, test it in your browser. If done right, everything should work smoothly.

Troubleshooting issues with a trusted SSL certificate:

Trouble loading the PSE? Delete instead of Replace:

Change STRUST Manager

Delete instead of Replace

Remove Temporary Files:

Change STRUST Manager

Delete Temporary Files

Ensure that the SMICM service defined is for the right port. In our case, it is the default 443:

Change STRUST Manager

SMICM

Ensure that the ICM is restarted implicitly by STRUST. (You will get a message PSE Saved/ICM was Notified):

Change STRUST Manager

ICM Notified

Conclusion.  

You have now successfully imported your externally-signed trusted SSL certificate!  If you have problems, please review the steps above, check out the Trouble-shooting steps or contact the author.

A modified version of this article was first published by the author on SAP Blogs.  #SAPCommunity