I supplied an EV multidomain to an Org
The hostname that will be used for the SAS web app is a SAN
The SAS installer said he needs FQHN (FQDN?) that is CN of the SSL. That's why he said he needs Single or Wildcard ssl. Is this true? So EV multidomain won't work?
Can they just reissue the EV multidomain with CN as the SAS hostname?
Can someone please help? Anyone had a similar experience? Thanks.
nice question, thank you.
For starters, I would believe in your consultant installing SAS. And if you don't and you look for an official answer, the best way to go is to discuss with SAS Technical Support.
Now, I can give you my personal experience and personal opinions.
I cannot foresee issues with EV multidomain, regarding SAS, as long as the certificate or certificates contain the FQDN of the server, and the certificate path and the private key, all of them in PEM (base64) format. SAS is realy no different from any other application in this matter, because the Web Server for SAS is form the Apache family. Those are your constraints.
If a web server (apache) in this host contains this certificate and you can connect to it from a web browser without trouble, it will be OK too for the deployment of SAS. You can play with it and demo it in that way.
Besides this, you can ask your CA to reissue the certificate with anything you need, that is resolvable in the network and your selver itself. The fully qualified internal hostname migh be needed if the deployment will start with a internal-only deployment.
Does it help?
Hey thanks for your replies
The installer had no issues installing the SSL. BUT the SAS server isnt sending the Intermediate certificate to visitor. Hence you can only access it with no "Insecure connection" warning in certain browsers and under certain circumstances (like if you already visited a site that sends the same Intermediate certificate).
The installer was originally given 3 PEM files - server.crt, bundle.crt and private.key . We combined the server and bundle crt into 1 crt and he installed it but still no change.
I dont know how he installed the SSL on the SAS server and I'm not familiar with SAS. How do you make SAS server send the Intermediate certificate to visitor so the SSL chain is complete? Ive read a bit of SAS documentation and it says to install the "certificates" on Windows CA store and Private JRE, which he claims he already did. This is SAS 9.4 (I dont know the MR) on Windows.
I've asked him to create a ticket with tech support. Hopefully they find a solution soon.
the certificate chain should be imported also at client side. On the Windows, and/or mobile certificate stores. If the client uses Chrome as web browser, then that Chrome should incorporate the certificate chain, since Chrome has its own certificate store.
So SAS web server cant/wont send the Intermediate along with the Server certificate to visitor? Is this a SAS limitation? Can someone point me to documentation highlighting this?
In comparison, a site with ssl on IIS can/will send Intermediate and Server certificates to visitor so no need to install the Intermediate in CA stores of his browser or OS.
So every SAS client that connects to SAS web server should have the Intermediate in their Windows CA store or the browser CA store depending on the browser used?
The SAS 9.4 Web Server (which includes Apache Web Server) can be configured to send the certificate chain to a web browser client. As long as the root certificate of the chain is in the browser CA store (as you would expect for an EV cert) then you should not need to make any changes to the browser. I don't have an EV certificate to test with my SAS mid-tier, but do have an intermediate CA with a self-signed root CA. I only have to add the self-signed root CA cert to the browser CA store because it is not already there.
Using openssl s_client I can see the whole certificate chain being sent back by the SAS Web Server (edited version below):
openssl s_client -showcerts -connect sasserver.example.com:8343 CONNECTED(00000003) depth=2 C = AU, O = Example, CN = Example Root CA verify return:1 depth=1 C = AU, O = Example, CN = Example Sub CA2 verify return:1 depth=0 C = AU, O = Example, CN = sasserver.example.com verify return:1 --- Certificate chain 0 s:/C=AU/O=Example/CN=sasserver.example.com i:/C=AU/O=Example/CN=Example Sub CA -----BEGIN CERTIFICATE----- **** PEM encoded server cert here **** -----END CERTIFICATE----- 1 s:/C=AU/O=Example/CN=Example Sub CA i:/C=AU/O=Example/CN=Example Root CA -----BEGIN CERTIFICATE----- **** PEM encoded Example Sub CA cert here **** -----END CERTIFICATE----- 2 s:/C=AU/O=Example/CN=Example Root CA i:/C=AU/O=Example/CN=Example Root CA -----BEGIN CERTIFICATE----- **** PEM encoded Example Root CA cert here **** -----END CERTIFICATE----- --- Server certificate subject=/C=AU/O=Example/CN=sasserver.example.com issuer=/C=AU/O=Example/CN=Example Sub CA ---
In my /opt/sas94m5/config/Lev1/Web/WebServer/conf/extra/httpd-ssl.conf file I have the following:
SSLCertificateFile "ssl/sasserver.example.com.crt" SSLCertificateKeyFile "ssl/sasserver.example.com.key" SSLCertificateChainFile "ssl/sasserver.example.com-ca-chain.crt"
The /opt/sas94m5/config/Lev1/Web/WebServer/ssl/sasserver.example.com-ca-chain.crt file specified in SSLCertificateChainFile contains the PEM encoded CA certs (intermediate then root).
When I do my SAS 9.4 server install I break it into phases:
1) install-only (no deploy) to get a populated sashome
2) add my custom CA certs (intermediate and root) to SAS Trusted CA Bundle - see Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager
3) deploy-only to get populated Lev1
If you have an EV cert from a well known CA then I imagine you will have skipped 2 (or only added the intermediate) and perhaps combined 1 & 3 into a single step.
Looking at my recorded deployment response file, I can only see the server cert specified and looking at my notes I don't see any references to SSLCertificateChainFile, however based on the name of the file I highly suspect it was a manual post-deployment change to the Apache config by me - along the lines of Updating the Key and Certificate That Are Used by SAS Web Server but with a SSLCertificateChainFile that contains the PEM encoded intermediate and root certs.
From memory, with the SAS Deployment Wizard Typical level of prompting, you get to specify the server cert and key files (but not chain file).
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.