Creating the Server's Key Pair to Use for SSL

1. Logon to the Netweaver Administrator :

http://<hostname>:<port>/NWA

2. Navigate to :Configuration Management > System > Certificate and Keys.

3. From the list of Keystore Views, select the ICM_SSL_<instance_ID>.
The contents of the selected keystore view appear.

By default, these keystore views contain a key pair that is created during installation for using
SSL on the AS Java.
This key pair is signed by a testing CA, therefore we recommend that you limit the use of the
default certificate to testing purposes.

4. Choose each entry “ssl-credentials” and “ssl-credentials-cert” and choose <Delete>

Confirm Deletion :

Page 1
5. Choose <Create

The following “Add New Key Storage Entry “wizard that appears :

Entry Name ssl-credentials

Algorithm RSA
Key Length 1024
Valid from Todays date
Valid to accept default value
Store Certificate Select
For Example :

Page 2
Choose <Next>
Add the following details :
Country Name GB
Organisation Name Company Name
Common Name Fully Qualified URL

For example :

Page 3
Choose <Next>

Choose <Next>

Page 4
 Choose <Finish>
This will take you back to the original Page :

Choose the “ssl-credential” entry and select <Generate CSR

Request> :
Select Format “Base64 encoded “ , and Link “Download”

Save the fiole to your desktop as “ssl-credentials.txt”.

Generate CSR Request

1. Open the File with Notepad :

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBezCB5QIBADA8MQswCQYDVQQGEwJHQjEOMAwGA1UEChMFR01QVEUxHTAbBgNV
BAMTFGdtcHNzbXFhcy5nbXBzYXAuaW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCqONd8ubwkww+Nb5tAc9bKhXBJ0hJpl0aXoKpyC2Pa/ERLY2Ac+PgnJC1I
JU5UVqEBVhFKVlnQGFQOwVfSVGdx1L39jriX01bGPzeOat6/Rm9YQbHJQ84PDbNO
IMarT/6+LY5iJZ2fF5WGBzAjyAwgltpUnUUT37HjluT+hEcZ9wIDAQABoAAwDQYJ
KoZIhvcNAQEEBQADgYEAcr98D2KHj+jKzVtOdSwO4egtS1wFQ9jbBWBK1Bu5DH+i
4GtWRzliFg6uvcvP2AbfUO30KNoDZ9cn7hfXxIP8jk40WGKZtU0xW3iISItUUfoC
sXftO9u3juSpm8k3c9uvWLFlE+ztcuUAxEXIZ3yNNJPFLFIqyasF6j+WO43lrD8=
-----END NEW CERTIFICATE REQUEST-----

2. The Certificate needs to be signed by a Certified CA .

Signing the Certificate is not documented here as it depends on
which CA you use.

Page 5
 Test SAP SSL Certificates can be obtained from
http://service.sap.com/tcs
3. The following is a sample of the Signed Test SSL Certificate from
SAP :

-----BEGIN CERTIFICATE-----
MIICgjCCAeugAwIBAgIOUJ30jKCoDEgQAwEADNcwDQYJKoZIhvcNAQEFBQAwUDEL
MAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVzdCBDb21tdW5pdHkxDzANBgNV
BAsTBlNlcnZlcjESMBAGA1UEAxMJU2VydmVyIENBMB4XDTEwMTExNjEwMjIwMloX
DTExMDExNTEwMjIwMlowWzELMAkGA1UEBhMCREUxHDAaBgNVBAoTE1NBUCBUcnVz
dCBDb21tdW5pdHkxDzANBgNVBAsTBlNlcnZlcjEdMBsGA1UEAxMUZ21wc3NtcWFz
LmdtcHNhcC5pbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKo413y5vCTD
D41vm0Bz1sqFcEnSEmmXRpegqnILY9r8REtjYBz4+CckLUglTlRWoQFWEUpWWdAY
VA7BV9JUZ3HUvf2OuJfTVsY/N45q3r9Gb1hBsclDzg8Ns04gxqtP/r4tjmIlnZ8X
lYYHMCPIDCCW2lSdRRPfseOW5P6ERxn3AgMBAAGjVDBSMAwGA1UdEwEB/wQCMAAw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBQP
Sz6jNosDnAOmYLLIOUzABhrPGTANBgkqhkiG9w0BAQUFAAOBgQA1O0y692nwBvIm
WrZ23D5hRMwMRLONjxs3Fp/fbiPfDult9ZogpkamaOlXdshdXIz9MN8JVg4deKag
uvvk3LyazVNjPjoZSeyd0/ulHb4CFrK/ETPufcn9YfljQw24EURUKlzXBX8GGbfn
qec1Z/mQaG2K7oCdsf90foM/l++7QA==
-----END CERTIFICATE-----

4. Save the signed certificate as “ssl-credentials.crt" i.e. X509 format

Select the “ssl-credentials” entry and choose <Impory CSR
Response>

5. Browse to the saved “ssl-credentials.crt” file

Select it and press <Add>

Page 6
6. The entry will be added to the CSR Response List .
Choose <Import>

7. The entry will be added and be displayed :

Page 7
 Note : The above example screen shot uses a “test” certificate, with
an expiry of 3 months.
This is why the entry shows with a “yellow” warning triangle.

8. Restart the J2EE Engine.

Page 8