How to renew Wildcard Certificate for SAP System
Ever wondered if Wildcard (*) certificate can be used for your SAP landscape with minimum certificate cost? Yes, you can do it, but this is not the recommended way for any SAP Production landscape and from a Security perspective, SAP does not support it. But still, if you want to go for this path, then you can do it at your own risk. After the implementation of the Wildcard cert, the question arises, how can you renew it as it will affect your full SAP landscape? In this post, let’s check out how to renew Wildcard Certificate for SAP System.
What is Wildcard Certificate
Certificates or SSL (Secure Socket Layer) Certificates are small data files that digitally bind a cryptographic key to an organization’s details. Each certificate is the core identity of the subject in a sure way i.e. combination of the Public and Private keys. For more details, please read here.
Wildcard certificates provide an extension to this, allowing you to use the single signed certificate for multiple instances or subjects.
Normal certificate
CN=<Host>.<FQDN>
Wildcard Certificate
CN=*.<FQDN>
While generating CSR for Wildcard certificate, you can take advantage of SAN entries to define multiple hostnames or aliases which can be used for different Subjects or Instances.
How to get a Signed Certificate
Once you generate PSE with Wildcard entries, create CSR via transaction STRUSTSSO2 or at OS level via SAPGENPSE. Normally its recommended to generate PSE at the Application level via STRUSTSSO2 T-Code. While generating CSR, add SAN entries i.e. required DNS or additional hostnames.
Once CSR is generated, Share it with your CA and get a signed cert with full chain, i.e. with CA’s Root and Intermediate Cert. Import the response back into the PSE via STRUSTSSO2 and you are done. No SAP application restart is required as it’s all online activity.
How to renew Certificate
Normally as you will be renewing the same cert with the original DN, you can ask your CA to issue renewed certificate directly from their side. They will share it in .pfx format and you can get it imported into your system. For details, please refer here.
If new CSR generation is a must as per CA, then follow the method mentioned previously to generate CSR. Make sure to use the same SAN entries as before. As all contents including SAN entries are the same, generated CSR from any one system will be identical to the rest. Once you receive a signed response from CA, you can use the same response to update the certificate in all your SAP systems that are using the same Wildcard certificate. You just need to import the response back into PSE via STRUSTSSO2.
That’s it, your certificate is renewed and its validity is extended. Make sure to update this renewed cert wherever you have SSL integration with other systems. Example of such integration is S/4 and FIORI system integration or FIORI and Web-dispatcher configuration.
It was so simple, right? If you have any other interesting scenario, do share it via comments.
Reference SAP Notes : 2148457 & 1473710