Creating the Server's Key Pair to Use for SSL
1. Logon to the Netweaver Administrator :
http://<hostname>:<port>/NWA
2. Navigate to : Configuration Management > System > Certificate and Keys.
3. From the list of Keystore Views, select the ICM_SSL_<instance_ID>.
The contents of the selected keystore view appear.
By default, these keystore views contain a key pair that is created during installation for using
SSL on the AS Java.
This key pair is signed by a testing CA, therefore we recommend that you limit the use of the
default certificate to testing purposes.
4. Choose each entry “ssl-credentials” and “ssl-credentials-cert” and choose <Delete>
Confirm Deletion :
Page 1
5. Choose <Create
The following “Add New Key Storage Entry “wizard that appears :
Entry Name
ssl-credentials
Algorithm
RSA
Key Length
1024
Valid from
Todays date
Valid to
accept default value
Store Certificate
Select
For Example :
Page 2
Choose <Next>
Add the following details :
Country Name
GB
Organisation Name
Company Name
Common Name
Fully Qualified URL
For example :
Page 3
Choose <Next>
Choose <Next>
Page 4
Choose <Finish>
This will take you back to the original Page :
Choose the “ssl-credential” entry and select <Generate CSR Request> :
Select Format “Base64 encoded “ , and Link “Download”
Save the fiole to your desktop as “ssl-credentials.txt”.
Generate CSR Request
1. Open the File with Notepad :
-----BEGIN NEW CERTIFICATE REQUEST----MIIBezCB5QIBADA8MQswCQYDVQQGEwJHQjEOMAwGA1UEChMFR01QVEUxHTAbBgNV
BAMTFGdtcHNzbXFhcy5nbXBzYXAuaW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCqONd8ubwkww+Nb5tAc9bKhXBJ0hJpl0aXoKpyC2Pa/ERLY2Ac+PgnJC1I
JU5UVqEBVhFKVlnQGFQOwVfSVGdx1L39jriX01bGPzeOat6/Rm9YQbHJQ84PDbNO
IMarT/6+LY5iJZ2fF5WGBzAjyAwgltpUnUUT37HjluT+hEcZ9wIDAQABoAAwDQYJ
KoZIhvcNAQEEBQADgYEAcr98D2KHj+jKzVtOdSwO4egtS1wFQ9jbBWBK1Bu5DH+i
4GtWRzliFg6uvcvP2AbfUO30KNoDZ9cn7hfXxIP8jk40WGKZtU0xW3iISItUUfoC
sXftO9u3juSpm8k3c9uvWLFlE+ztcuUAxEXIZ3yNNJPFLFIqyasF6j+WO43lrD8=
-----END NEW CERTIFICATE REQUEST-----
2. The Certificate needs to be signed by a Certified CA .
Signing the Certificate is not documented here as it depends on which CA you use.
Test SAP SSL Certificates can be obtained from http://service.sap.com/tcs
3. The following is a sample of the Signed Test SSL Certificate from SAP :
Page 5
-----BEGIN CERTIFICATE----MIICgjCCAeugAwIBAgIOUJ30jKCoDEgQAwEADNcwDQYJKoZIhvcNAQEFBQAwUDEL
MAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxDzANBgNV
BAsTBlNlcnZlcjESMBAGA1UEAxMJU2VydmVyIENBMB4XDTEwMTExNjEwMjIwMloX
DTExMDExNTEwMjIwMlowWzELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVz
dCBDb21tdW5pdHkxDzANBgNVBAsTBlNlcnZlcjEdMBsGA1UEAxMUZ21wc3NtcWFz
LmdtcHNhcC5pbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKo413y5vCTD
D41vm0Bz1sqFcEnSEmmXRpegqnILY9r8REtjYBz4+CckLUglTlRWoQFWEUpWWdAY
VA7BV9JUZ3HUvf2OuJfTVsY/N45q3r9Gb1hBsclDzg8Ns04gxqtP/r4tjmIlnZ8X
lYYHMCPIDCCW2lSdRRPfseOW5P6ERxn3AgMBAAGjVDBSMAwGA1UdEwEB/wQCMAAw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBQP
Sz6jNosDnAOmYLLIOUzABhrPGTANBgkqhkiG9w0BAQUFAAOBgQA1O0y692nwBvIm
WrZ23D5hRMwMRLONjxs3Fp/fbiPfDult9ZogpkamaOlXdshdXIz9MN8JVg4deKag
uvvk3LyazVNjPjoZSeyd0/ulHb4CFrK/ETPufcn9YfljQw24EURUKlzXBX8GGbfn
qec1Z/mQaG2K7oCdsf90foM/l++7QA==
-----END CERTIFICATE-----
4. Save the signed certificate as “ssl-credentials.crt" i.e. X509 format
Select the “ssl-credentials” entry and choose <Impory CSR Response>
5. Browse to the saved “ssl-credentials.crt” file
Select it and press <Add>
Page 6
6. The entry will be added to the CSR Response List .
Choose <Import>
7. The entry will be added and be displayed :
Note : The above example screen shot uses a “test” certificate, with an expiry of 3 months.
This is why the entry shows with a “yellow” warning triangle.
8. Restart the J2EE Engine.
Page 7