During installation of an SSL Certificate on a SAP system you may get the following error:
- “Incomplete FCPath, need certificate of CA” (CN=VeriSign Class 3 Public Primary Certification Authority – G5, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, OU=VeriSign Trust Network, O=”VeriSign, Inc.”, C=US)
- “import_own_cert: Installation of certificate failed”
- SAP systems want to see an the entire SSL Certificate Chain during installation of your SSL Certificate.
- You are not installing a PKCS7 (.p7b) format certificate.
Resolutions:
If you receive this error when you are installing an SSL Certificate from any CA you must have a complete Master pkcs#7 format certificate that includes the following..
- SSL Certificate
- Intermediate CA
- *Root Certificate*
Majority of all CA’s only include the SSL Certificate and its Intermediate CA within a pkcs7 format certificate thus why you are probably getting a chaining error when installing your standard pkcs7.
Typically roots are not required during installation, but some rare systems such as SAP or versions of Java may need it.
You will need to create a MASTER pkcs7 format certificate. One that contains the SSL Certificate, its Intermediate CA, and Root.
- Contact your Certificate Authority and ask for a Master pkcs7 format certificate that contains your SSL Certificate, Intermediate CA, and Root. Hopefully they can do this.
- Or create your own following the instructions below.
How to Create a Master pkcs7 format certificate from a regular pkcs7:
- Put the pkcs7 format with a .p7b extension on your desktop.
- Double click your pkcs7 (.p7b) to bring up the certmgr for it (This will automatically occur in windows systems)
- In the certmgr console double click the folder on the right pain of the certmgr
- Double click Certificates.
- You will see two certificates typically from standard pkcs7 format certificates.
- A certificate issued to your website, and the other being an intermediate.
- Right click your SSL certificate All Tasks > Click Export.
- The certificate Export Wizard will appear.
- Click Next.
- On the next screen Select Cryptographic Message Syntax Standard – PKCS # 7 Certificates (.P7B)
- Check the box Include all certificates in the certification path if possible.
Root certificates from any Certificate Authority are pre installed on browser’s, and Operating Systems. When you export your certificate and include this option the wizard will append all certificates to your in your ssl certificates chaining path including even the Root pulled from your operating system This option will make your Master pkcs7 format certificate to include both intermediate and root to form a complete chain.
- Click Next.
- Click Browse.. to Specify the name and path of the new Master pkcs7 file you want to save.
- After opening to the location you want to save your file click Next > Finish.
- Double click your newly created a Master pkcs7 .p7b certificate by repeating steps 1-6. You should now see a third certificate in the mix in the certmgr. This third added certificate should be a Root that goes along with your SSL Certificate and Intermediate CA forming a Complete Chain.
Congrats you have made a Master pkcs7 format certificate.
Continue with installation of this new master pkcs7 certificate into your SAP device.
If you are unable to use these instructions or still have the issue Acmetek recommends that you contact either the vender of your software or the organization that supports it.
SAP Support:
For more information, please refer to SAP Support