How to renew Wildcard Certificate for SAP System
Ever wondered if Wildcard (*) certificate can be used for your SAP landscape with minimum certificate cost? Yes you can do it, but this is not the recommended way for any SAP Production landscape and from Security perspective SAP does not support it. But still you want to go for this path, then you can do it on your own risk. After implementation of Wildcard cert, question arise, how can you renew it as it will affect your full SAP landscape. In this post, let’s check out how to renew Wildcard Certificate for SAP System.
What is Wildcard Certificate
Certificates or SSL (Secure Socket Layer) Certificates are small data files that digitally bind a cryptographic key to an organization’s details. Each certificate is core identity of the subject in sure way i.e. combination of Public and Private key. For more details, please read here.
Wildcard certificate provide extension to this, allowing you to use single signed certificate for multiple instances or subjects.
Normal certificate
CN=<Host>.<FQDN>Wildcard Certificate
CN=*.<FQDN>While generating CSR for Wildcard certificate, you can take advantage of SAN entries to define multiple hostnames or aliases which can be used for different Subjects or Instances.
How to get Signed Certificate
Once you generate PSE with Wildcard entries, create CSR via transaction STRUSTSSO2 or at OS level via SAPGENPSE. Normally its recommended to generate PSE at Application level via STRUSTSSO2 T-Code. While generating CSR, add SAN entries i.e. required DNS or additional hostnames.
Once CSR is generated, Share it with your CA and get signed cert with full chain, i.e. with CA’s Root and Intermediate Cert. Import the response back into the PSE via STRUSTSSO2 and you are done. No SAP application restart is required as its all online activity.
How to renew Certificate
Normally as you will be renewing same cert with original DN, you can ask your CA to issue renewed certificate directly from their side. They will share it in .pfx format and you can get it imported in your system. For details, please refer here.
If new CSR generation is must as per CA, then follow method mentioned previously to generate CSR. Make sure to use same SAN entries as before. As all contents including SAN entries are same, generated CSR from any one system will be identical to rest. Once you receive signed response from CA, you can use same response to update certificate in all your SAP system which are using same Wildcard certificate. You just need to import response back into PSE via STRUSTSSO2.
That’s it, your certificate is renewed and validity is extended. Make sure to update this renewed cert wherever you have SSL integration with other systems. Example of such integration is S/4 and FIORI system integration or FIORI and Web-dispatcher configuration.
It was so simple right! If you have any other interesting scenario, do share it via comments.
Reference SAP Notes : 2148457 & 1473710
