Certificate Error Popups in the Browser

Use

Certificates work only if both the server and client have certificates that have a common root signing. The server and the browser often have certificates that are not mutually accepted or have an expired certificate.

For an example of how a certificate error behaves in a browser, log on to a test system with a browser, assuming this system has an erroneous certificate. If certificates are configured incorrectly, the error message Certificate Error: Navigation Blocked appears.

The following figure shows an example of this error message:

Example of certificate error message in the browser

Choose Continue to this website (not recommended) to see a security report of the certificate error.

Choose Certificate Error (Security Report) and then View certificates for more information.

The following figure shows an example of the certificate information in the browser:

Certificate information in the browser

Similarly, when you call the same URL in SAP Business Client, a corresponding error message is displayed. For example, log on to a test system with SAP Business Client. If certificates are incorrect, a security message appears. To display more information about the certificates, choose the View Certificates pushbutton.

The following figure shows an example of the certificate information in SAP Business Client:

Certificate Information in SAP Business Client

There are a number of possible reasons for a certificate failure. The following table summarizes common causes:

Problem	Description	Possible Solution
The certificate has not been trusted.	The browser did not trust the certificate issued by the server and required the user to intervene and determine if trust should be established or not. When users connect to your SAP system with their browser, a security alert appears indicating that the user does not trust the certificate issued by the server.	Install the server certificate. Refer to your browser documentation for details. Alternatively, if you are using self-signed certificates, consider using a certification authority (CA) signed certificate. This prevents the situation where all users must face this alert. More information: Protecting the Application Server's Keys
The certificate has expired.	The server certificate has expired. The browser did not trust the certificate issued by the server and required the user to intervene and determine if trust should be established or not.	We recommend to obtain a new valid certificate. The exact procedure for obtaining the certificate depends on the CA. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcs.
The name on the certificate does not match the name in the URL.	The browser has determined that the subject of the certificate issued by the server does not match the name used in the URL. This requires the user to intervene and determine if the user still wants to connect to the target system.	Make sure the name in the certificate subject and the name in the URL match. Change the URL that took the user to your server. Use the correct domain name that appears in the subject of the certificate. If this is not possible, install a new certificate with the correct domain name in the subject.

Problem

Description

Possible Solution

The certificate has not been trusted.

The browser did not trust the certificate issued by the server and required the user to intervene and determine if trust should be established or not. When users connect to your SAP system with their browser, a security alert appears indicating that the user does not trust the certificate issued by the server.

Install the server certificate. Refer to your browser documentation for details. Alternatively, if you are using self-signed certificates, consider using a certification authority (CA) signed certificate. This prevents the situation where all users must face this alert.

More information: Protecting the Application Server's Keys

The certificate has expired.

The server certificate has expired. The browser did not trust the certificate issued by the server and required the user to intervene and determine if trust should be established or not.

We recommend to obtain a new valid certificate. The exact procedure for obtaining the certificate depends on the CA. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcs Information published on SAP site .

The name on the certificate does not match the name in the URL.

The browser has determined that the subject of the certificate issued by the server does not match the name used in the URL. This requires the user to intervene and determine if the user still wants to connect to the target system.

Make sure the name in the certificate subject and the name in the URL match.

Change the URL that took the user to your server. Use the correct domain name that appears in the subject of the certificate.
If this is not possible, install a new certificate with the correct domain name in the subject.

In summary, certificate errors in SAP Business Client are observed similarly when a browser is started for the same URL. Such errors are not related to NWBC, but they represent problems in the configuration of the underlying digital certificate infrastructure (either server-side or client-side).