Show TOC

Sending the Certificate Requests to a CALocate this document in the navigation structure

Use

After you have generated a key pair and certificate request, you must send the certificate request to a CA to be signed. The response from the CA is a signed public-key certificate for the server.

Prerequisites

You can send the certificate request to the SAP CA or another CA of your choice. Note however, the trust manager requires that the certificate request response adheres to the PKCS#7 certificate chain format. This means that the response contains both the requester's signed public-key certificate as well as the CA's root certificate. As an alternative, the CA may issue a standalone certificate in PEM format. Note the following:

  • PKCS#7 certificate chain format

    In this case, the issuing CA provides the certificate request response in the necessary format. For example, the SAP CA provides the response in this format, or you can request this format from your CA.

  • PEM format

    As an alternative, you may receive a certificate request response from your CA in PEM format, which contains only the signed public-key certificate.

    In this case, the CA's root certificate must also exist in the database. The trust manager then automatically modifies the certificate request response so that it exists in the necessary format before importing it into the server's PSE.

Procedure

For each certificate request that you generated:

  1. If you saved the contents of the request to a file, then make sure the contents have not been corrupted during download. For example, if you generate the certificate request on a UNIX system and save it to a Windows front-end client, the line feeds and carriage returns may be replaced with special characters.

    To check the contents, open the certificate request with a text editor and repair any corrupt line feeds or carriage returns. Because many editors use hidden characters for formatting, use a text editor that does not support formatting features, for example, Notepad.

    The example below shows a correct certificate request.

    Example

    -----BEGIN CERTIFICATE REQUEST-----

    MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS

    BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK

    BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i

    4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF

    AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2

    MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC

    QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC

    zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi

    +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=

    -----END CERTIFICATE REQUEST-----

  2. Send the contents of the certificate request to the CA of your choice.

    The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcsInformation published on SAP site.

Result

The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate.