Steps for csr generation sap netweaver
- 1. Creating the Server's Key Pair to Use for SSL Use To use SSL, the SAP J2EE Engine must possess a key pair, which consists of a public key, which is distributed using an X.509 public-key certificate, and a corresponding private key. Use the procedure below to create the key pair and public-key certificate on the server. For SSL, the server needs a key pair that is associated with the fully-qualified host name that is used to access the server. If multiple hosts are accessed using the same fully- qualified host name, then you only have to create one key pair and use it for all hosts. For example, in a dual-stack system both the ABAP server and the J2EE Engine reside on the same host and therefore use the same fully-qualified host name for access. In this case, create the key pair on the ABAP server, export it, and then upload it on the J2EE Engine. For more information, see Exporting the SSL Key Pair from the ABAP System. In addition, when creating a key pair to use for SSL, you must have the public key certified by a Certificate Authority (CA). For this purpose, you will create a certificate signing request (CSR), which you then send to the CA of your choice. The CA will send you the corresponding signed public-key certificate in the form of a certificate request response, which you then import into the keystore entry for which you created the request. Prerequisites · The Key Storage service is running on the server. · If you want to import an existing key pair, then this key pair must exist in the file system as a PKCS#12 (Public-Key Cryptography Standard 12) file with the extension .p12. · The certificate request response that you receive from the CA must exist as a DER (Distinguished Encoding Rules) or as a Base-64 encoded file. Procedure For each server process that is to support SSL: 1. Select the Key Storage service. The available views appear. Entries corresponding to the selected view appear in the Entries pane. An entry may be either a public-key certificate only or the complete key pair. The type of entry is shown in the information pane with the indicator PRIVATE KEY or CERTIFICATE along with the rest of the information pertaining to the entry. For more information about using the Key Storage service, see Key Storage Service. 2. Select the service_ssl view. Any available entries for the service_ssl view appear in the Entries pane.
- 2. Per default, the SAP J2EE Engine uses the ssl-credentials entry for SSL, which contains a public-key certificate that has been signed by a test CA. Although you can use this certificate for testing purposes, we recommend using a certificate that has been signed by a well-known, productive CA. 3. If no appropriate entry exists for using SSL, then create a new entry (choose Create) or load an existing one from the file system (choose Load). When creating an entry to use for SSL, the Key and Certificate Generationdialog appears. Note the following: ● Specify the server’s fully-qualified host name as the Common Name part of the Distinguished Name. Otherwise, certain Web browsers will produce a warning if the host name that users use to access the server does not match the host name found in the server’s public-key certificate. ● Select the Store certificate option to save the server’s public-key certificate separately so that you can export it at a later time. ● Select RSA as the Algorithm to use. 4. If the corresponding certificate has not yet been signed by a CA, then: a. Generate a certificate signing request. Select your entry, choose Generate CSR Request and save it to a file. b. Send the certificate signing request to a CA to be signed. c. Save the certificate request response to a file in the file system. Use the extension .crt (DER-encoded or Base-64 encoded) or .cert (Base-64 encoded). d. Import the corresponding certificate request response. Choose Import CSR Response and load the response from the file system. For more information about managing keys and certificates in the Key Storage service, see Managing Entries. If you want to load the public-key certificate as a separate entry, then rename the file before loading. Otherwise, the SAP J2EE Engine will replace the existing PRIVATE KEY entry with a CERTIFICATE entry and the private key will be lost because it uses the file name as the alias when loading.
- 3. Creating a Key Pair and Public-Key Certificate Procedure 1. Open the Key Storage service Runtime tab. 2. Select the view for which you want to create a key pair and certificate, and choose Create. The Key and Certificate Generation dialog appears. 3. In Subject Properties, specify the following properties for the certificate: a. Country Name – specify the country two-letter code. b. State/Province – specify the full name of your state or province. c. Locality Name – specify the city, for example. d. Organization Name – specify the name of the organization. e. Organization Unit Name– specify the organization unit name. f. Common Name – specify the common name. To specify information for additional options such as initials, street address or title, select the last empty field by double-clicking on it. Modify the property values in accordance with the subject’s data. 4. In the Entry Name field, specify a name for the certificate. 5. Specify the certificate validity period in the Valid From and Valid To fields. Enter the values using the format mm/dd/yy hh:mm <AM,PM>. 6. Specify the certificate key length in Key length. You can choose a value from 1024 or 512 bits or specify another value as appropriate. 7. Choose the certificate algorithm from the Algorithm. You can choose RSA (Rivest, Shamir, Adleman), DSA (Digital Signature Algorithm) or DH (Diffie-Hellman). 8. If you want to store the generated certificate in the key storage, choose Store Certificate. 9. If you want to specify a Certification Authority key, choose the Select CA Key button and select it from the list. 10. Choose the Generate button.