SAP Commerce Cloud CCV2 — How to add SSL Certificate to the endpoints

In this document, you will learn and understand how to add or renew SSL Certificate to the endpoints as per your custom domain.

By default, once an environment is provisioned in SAP Commerce Cloud for eg. dev d1, the below application endpoints will be displayed under that env.

Click the Environments

Click on d1 to see the details of the env. All the public endpoints of d1 env will get listed and it will configured with the default URL to access the applications — Backoffice, Storefront, Solr, Background processing, API.

For these default URLs, SAP will provide SSL certificates and auto-renew those for you. However, if a custom domain URL is used, you need to add your own SSL Certificate and renew it promptly.

For eg, for the below URLs SAP will take care of SSL Certificate renewal.

In the case of a custom domain, you have to install and renew it.

If you need to setup a new custom domain url, check out my other story. Setting custom domain to the application endpoint (SAP Commerce Cloud CCV2)

The below steps will help you configure to create and install the new SSL certificate

Step 1: Create a CSR file

For SSL certificates, the first step is to create a certificate signing request (CSR)

There are mutiple ways of creating this CSR file. I’ll show you how to use openSSL tool to generate one.

Digicert tool provides a utility tool as well. Store the generated private key as its needed during installation Check it out here

Create new CSR using OpenSSL

1. Install the OpenSSL for Windows from here [Light version is fine — eg Win64 OpenSSL v3.1.2 Light]
2. Create a file named mysan.cnf with the following information at the installed location: ex C:\OpenSSL-WinXX\bin.
3. Add the below configuration to the file including SANs. ( Specific Additional domains) For eg., if you need to use same certificate for all your applications — Backoffice, Storefront, Solr, Background processing, API you need to add all the sub-domain URLs For eg., x.api.com.au, x.backoffice.com.au as SANs while generating the CSR file

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = AU
stateOrProvinceName         = NSW
localityName               = Sydney
organizationName           = XXXX
commonName                 = x.com.au
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1=x.backoffice.com.au
DNS.2=x.api.com.au
DNS.3=x.backgroundprocessing.com.au
DNS.4=x.solr.com.au

4. Next generate the CSR and Private key with this command.

openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config mysan.cnf

5. Convert the server.key to RSA format using below command

openssl rsa -in server.key -out myserver.key

Now, myserver.key file in the required RSA format. Keep the private key (server.key) safely as its required to intall the certificate into SAP Commerce portal

Verification

To verify the CSR for SAN:

1. Open the command prompt as an administrator, goto the OpenSSL tool directory C:\OpenSSL-WinXX\bin and run:

openssl req -noout -text -in server.csr

2. Under Subject Alternative Name, the different DNS names must appear for which this generated CSR file is valid.

DNS: x.api.com.au, DNS:x.backoffice.com.au, DNS:x.api.com.au, 
DNS:x.backgroundprocessing.com.au, DNS:x.solr.com.au

Step 2: Order the SSL Certificate

1. Go to your preferred SSL Certificate provider like Digicert, Lets Encrypt etc
2. Order your multi-domain SSL certificate. Provide your generated CSR file and all the domains to be added.
3. Once the order is fulfilled, you will receive multiple files from the provider.

a) Certificate file

b) Intermediate certificate file

c) Root certificate file

Step 3: Install the SSL Certificate in the SAP Commerce Portal

1. Log in and navigate to SAP Portal → Security → SSL Certificates → Create

2. Create the new certificate

Name: Any preferred name for eg., certificate_<created date>

Description: Any preferred description for eg., certificate created on <date> and expires on <date>

Certificate File:

Copy & paste the domain Certificate file contents here ( from the list of files received from SSL Certificate provider)

Key File:

Copy & paste the content of the private key file in this box.

If the private key is lost, we need to create a new csr request. The key will get generated along with csr file. Then provide the new csr for generating the new certificate to install or renew.

CA Certificate File:

Here we need to import contents from two certificate files — intermediate certificate and root certificate which we got from the provider and in the below-mentioned sequence.

Intermediate certificate

Root certificate

Copy the contents in a sequence of Intermediate and Root certificates in this field. The order of content must be followed to avoid any certificate errors.

Then Save the certificate. It should get saved without any issues if the steps are followed as mentioned

The new certificate should now be listed under the SSL Certificates tab.

Step 4: Link the new certificate to the endpoints

1. Navigate to the environment and go to the endpoints page

2. Click on the endpoint and select the new certificate from SSL Certificate dropdown.

3. Save the configuration.

Kindly note, that deployment is required to ensure the SSL certificate is linked to the applications.

Once you do it for all the mentioned endpoints across envs, the job is done. Pat yourself and have a chocolate :)

Certificate verification for expiry

We can use the below URL to verify the expiration date — https://trackssl.com/online-ssl-certificate-checker/

Hope this article is useful and you learned something!

If you liked the document, clap and follow me for more posts :)