SAP JAVA HTTPS Cert update with SAN entry
Steps
- Login with sidadm
- Set ENV variable SECUDIR pointing to /usr/sap/<SID>/<Instance>/sec
- Take backup of all files under /usr/sap/<SID>/<Instance>/sec
- Generate new PSE with SAN
- sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p <SID>J2eeSystemSAN.pse -k GN-dNSName:<hostname with fqdn>
- Provide Password : *********
- Provide Distinguished name of PSE owner : CN=<hostname with fqdn>
- <SID>J2eeSystemSAN.pse will get created and CSR request is printed on to the screen, copy it and submit it to the issuing Certificate authority (like Entrust etc.) to get response
- Once you get response from CA (Certificate Authorities), you may need to add root and/or intermediate certificate as well.
- Once response is available, copy it to server as <SID>JavaSSL.csr
- Import csr in PSE
- sapgenpse import_own_cert -c <SID>JavaSSL.csr -p <SID>J2eeSystemSAN.pse
- To upload certificate in NWA/VISUAL-ADMIN, convert it to p12 file
- sapgenpse export_p12 -p <SID>J2eeSystemSAN.pse -x <PSE Password> -z <PSE Password> <SID>_SSL_<Hostname>
- For 7.0X or lower systems (Visual Admin)
- Load this p12 file in KeyStorage -> service_ssl, it will ask for PSE password.
- Add Name of new entry created as per above step in Server Identity tab under Dispatcher -> Services -> SSL Provider via VISUAL ADMIN
- For Systems > 7.0X (NWA)
- Check the Keystore used for SSL in NWA -> Configuration -> SSL
- Import p12 file in NWA -> Configuration -> Certificate & Keys -> <keysore found in above step>, normally it will be ICM_SSL_<Instance ID>, it will ask for Password
- Take backup of existing SSL private Key if any by exporting it
- Delete old Private SSL key if there are two keys now after import of newly generated p12 file
- Restart ICM