Subject Alternative Name (SAN) with sapgenpse (CommonCryptoLib)

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.

A quick test:

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no="1":

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no="1":

                GeneralName :GN-dNSName:myehp7system.mydomain.com

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" ):

PKCS#10 certificate request for "SAPSAN.pse":

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----

Importing the response:

sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse

CA-Response successfully imported into PSE "SAPSAN.pse"

Checking the content:

sapgenpse get_my_name -p SAPSAN.pse

Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   ...

Serialno              :   ...

KeyInfo               :   RSA, 2048-bit

Validity  -  NotBefore:   ...

             NotAfter :   ...

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com

Time to open the PSE via STRUST, saving it as the SSL server PSE identity.

I created a new server identity, for testing purposes (Environment -> SSL Server Identities):

I used option File to open the PSE created:

Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:

The result: a SSL server PSE with SAN: