X509 based logon – 3 – Create a user certificate

Published by Tobias Hofmann on

2 min read

The user needs to have a valid X.509 certificate to be able log on at the SAP System (via ICM service). This certificate is issued by the intermediate CA. Create a CSR for a user and let the intermediate CA sign it. Following my own blogs, I get a certificate named: tobias.crt.pem. Following commands assume that you are using my CA setup.

Create request for user certificate (CSR)

openssl req -out intermediate/csr/tobias.csr.pem -newkey rsa:4096 -nodes -keyout intermediate/private/tobias.key.pem -config intermediate/openssl_intermediate.cnf

Sign request by intermediate CA

openssl ca -config openssl_intermediate.cnf -extensions usr_cert -days 3050 -notext -md sha512 -in csr/tobias.csr.pem -out certs/tobias.crt.pem

Result

I have a key, signing request and certificate. The key and certificate are needed to be able to log on. The X.509 user certificate looks like this:

-----BEGIN CERTIFICATE-----
MIIHyjCCA7KgAwIBAgICIAAwDQYJKoZIhvcNAQENBQAwSTELMAkGA1UEBhMCREUx
CzAJBgNVBAgMAkJXMQ0wCwYDVQQKDAREZW1vMR4wHAYDVQQDDBVpbnQuaXRzZnVs
...
wJCKYDK6yxxhrKkgrg+kJ9vYzMpgqNUA1DuXX8+ckVpcMnjXEW5vJivt50/BtJL2
nfI0JuhlyZ6SDnsx5svy1uSAaeezUiWWOXpOasoEnGuhJJhDG2c+LTUsvcFE2MCh
29KtXiI1jPsi2/LE8F3EoK4aR+ex99otrN/yT6V3
-----END CERTIFICATE-----

This certificate needs to be added to the browser. I am using a Mac and will use Safari for logging in with my X.509 user certificate at NW ABAP. Convert the PEM certificate to PFX format. The PFX file will contain the user key and the certificate signed by the intermediate CA. Secure the PFX file with a password.

Example

openssl pkcs12 -export -out tobias.pfx -inkey tobias.key.pem -in tobias.crt.pem -certfile rootca/certs/ca.itsfullofstars.de.crt.pem -certfile intermediate/certs/int.itsfullofstars.de.crt.pem

For Safari to be able to use this user certificate, import the PFX file to the Mac OS Keychain.

After the import, your user certificate is included in the keychain. To see if Safari can read your user certificate, open SAP WebGui for HTML in Safari.

https://vhcalnplci:44300/sap/bc/gui/sap/its/webgui?sap-client=001

Safari should ask you to select a valid user certificate.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.