To import an existing key pair or a trusted X.509 client certificate, the key pair must exist in the file system in a specific format. For more information about the supported formats, see How to Use Key Storage .
The certificate request response that you receive from the CA must exist as a DER (Distinguished Encoding Rules) or as a Base 64-encoded file.
You can use the procedure below to configure the key pair and trusted client certificates to use for establishing SSL connections on the AS Java. You create a new key pair or upload an existing key pair or a trusted X.509 client certificate from the file system.
For SSL, the server needs a key pair that is associated with its fully-qualified host name that is used to access the server. If multiple hosts are accessed using the same fully-qualified host name, then you only have to create one key pair and use it for all hosts.
Using the Key Storage management functions of the SAP NetWeaver Administrator, open the Content tab. For more information about managing keys and certificates in the Key Storage, see Managing Entries .
From the list of Keystore Views , select the ICM_SSL_ <instance_ID> or one of the ICM_SSL_ <instance_ID>_<port> keystore views. The contents of the selected keystore view appear.
By default, these keystore views contain a key pair that is created during installation for using SSL on the AS Java. This key pair is signed by a testing CA, therefore we recommend that you limit the use of the default certificate to testing purposes.
By default, the AS Java uses the ICM_SSL_ <instance_ID> view for setting up an SSL connection. The ICM_SSL_ <instance_ID>_<port> views are used for setting up additional ports for SSL connections. More information about these views: Additional SSL Ports .
Proceed as shown in the table below to configure the key pair and trusted client certificates to use for SSL connections:
Task |
Procedure |
Import a saved key pair entry |
|
Import trusted X.509 client certificates for SSL |
Note
To use SSL with client certificates, you also have to configure the VCLIENT parameter for the instance profile of the AS Java ICM. For more information, see Maintaining ICM Parameters for SSL .
|
Create new key pair entry to use for SSL |
|
Generate a certificate signing request: |
Note
You need to perform this configuration step if the corresponding certificate has not yet been signed by a CA. We recommend that you use a well known CA that your client systems trust for signing the SSL keys.
|
Restart the SSL service of the AS Java to make the SSL key pair change effective.
The server possesses a public and private key pair to use for SSL. To verify that the import was successful, select the private key entry. The certificate should contain the name of the CA as the issuer.
Continue with Testing the SSL Connection .