X509 based logon – 3 – Create a user certificate
The user needs to have a valid X.509 certificate to be able log on at the SAP System (via ICM service). This certificate is issued by the intermediate CA. Create a CSR for a user and let the intermediate CA sign it. Following my own blogs, I get a certificate named: tobias.crt.pem. Following commands assume that you are using my CA setup.
Create request for user certificate (CSR)
openssl req -out intermediate/csr/tobias.csr.pem -newkey rsa:4096 -nodes -keyout intermediate/private/tobias.key.pem -config intermediate/openssl_intermediate.cnf
Sign request by intermediate CA
openssl ca -config openssl_intermediate.cnf -extensions usr_cert -days 3050 -notext -md sha512 -in csr/tobias.csr.pem -out certs/tobias.crt.pem
Result
I have a key, signing request and certificate. The key and certificate are needed to be able to log on. The X.509 user certificate looks like this:
-----BEGIN CERTIFICATE----- MIIHyjCCA7KgAwIBAgICIAAwDQYJKoZIhvcNAQENBQAwSTELMAkGA1UEBhMCREUx CzAJBgNVBAgMAkJXMQ0wCwYDVQQKDAREZW1vMR4wHAYDVQQDDBVpbnQuaXRzZnVs ... wJCKYDK6yxxhrKkgrg+kJ9vYzMpgqNUA1DuXX8+ckVpcMnjXEW5vJivt50/BtJL2 nfI0JuhlyZ6SDnsx5svy1uSAaeezUiWWOXpOasoEnGuhJJhDG2c+LTUsvcFE2MCh 29KtXiI1jPsi2/LE8F3EoK4aR+ex99otrN/yT6V3 -----END CERTIFICATE-----
This certificate needs to be added to the browser. I am using a Mac and will use Safari for logging in with my X.509 user certificate at NW ABAP. Convert the PEM certificate to PFX format. The PFX file will contain the user key and the certificate signed by the intermediate CA. Secure the PFX file with a password.
Example
openssl pkcs12 -export -out tobias.pfx -inkey tobias.key.pem -in tobias.crt.pem -certfile rootca/certs/ca.itsfullofstars.de.crt.pem -certfile intermediate/certs/int.itsfullofstars.de.crt.pem
For Safari to be able to use this user certificate, import the PFX file to the Mac OS Keychain.
After the import, your user certificate is included in the keychain. To see if Safari can read your user certificate, open SAP WebGui for HTML in Safari.
https://vhcalnplci:44300/sap/bc/gui/sap/its/webgui?sap-client=001
Safari should ask you to select a valid user certificate.
0 Comments