Hello @sha256,

 

nice question, thank you.

 

For starters, I would believe in your consultant installing SAS. And if you don't and you look for an official answer, the best way to go is to discuss with SAS Technical Support.

 

Now, I can give you my personal experience and personal opinions.

 

I cannot foresee issues with EV multidomain, regarding SAS, as long as the certificate or certificates contain the FQDN of the server, and the certificate path and the private key, all of them in PEM (base64) format. SAS is realy no different from any other application in this matter, because the Web Server for SAS is form the Apache family. Those are your constraints.

 

If a web server (apache) in this host contains this certificate and you can connect to it from a web browser without trouble, it will be OK too for the deployment of SAS. You can play with it and demo it in that way.

 

Besides this, you can ask your CA to reissue the certificate with anything you need, that is resolvable in the network and your selver itself. The fully qualified internal hostname migh be needed if the deployment will start with a internal-only deployment.

 

Does it help?

 

Kind regards,
Juan

 

 

 

Can't say I have specific experience with working with EV certificates but I don't see any problems that would cause. The EV certificate just include some extra fields in the standard X.509 certificate.

There are a few places in a SAS deployment where a TLS/SSL handshakes with the web server that sits in front of your middle tier needs to occur. There are a number of different technologies used in various places to implement the TLS protocol. SAS Management Console is an application written in Java and uses Java 7 libraries for the TLS handshake. The SAS Foundation sessions on Windows use S-Channel built into Windows, on UNIX its something else. SAS Enterprise Guide is a .NET client and uses the .NET libraries to do the TLS handshake. Some of the new utilities from SAS are built with Go and lean on those standard libraries.

The tricky bit with getting your TLS/SSL certificates working nicely is ensuring your certificate will be able to be parsed and validated by quite a broad variety of clients. The clients that might connect depending on your environment could be quite varied.

Hey thanks for your replies

 

The installer had no issues installing the SSL. BUT the SAS server isnt sending the Intermediate certificate to visitor. Hence you can only access it with no "Insecure connection" warning in certain browsers and under certain circumstances (like if you already visited a site that sends the same Intermediate certificate).

 

The installer was originally given 3 PEM files - server.crt, bundle.crt and private.key . We combined the server and bundle crt into 1 crt and he installed it but still no change.

 

I dont know how he installed the SSL on the SAS server and I'm not familiar with SAS. How do you make SAS server send the Intermediate certificate to visitor so the SSL chain is complete? Ive read a bit of SAS documentation and it says to install the "certificates" on Windows CA store and Private JRE, which he claims he already did. This is SAS 9.4 (I dont know the MR) on Windows.

 

I've asked him to create a ticket with tech support. Hopefully they find a solution soon.

Hello @sha256,

 

the certificate chain should be imported also at client side. On the Windows, and/or mobile certificate stores. If the client uses Chrome as web browser, then that Chrome should incorporate the certificate chain, since Chrome has its own certificate store.

Hey thanks!

So SAS web server cant/wont send the Intermediate along with the Server certificate to visitor? Is this a SAS limitation? Can someone point me to documentation highlighting this?

In comparison, a site with ssl on IIS can/will send Intermediate and Server certificates to visitor so no need to install the Intermediate in CA stores of his browser or OS.

So every SAS client that connects to SAS web server should have the Intermediate in their Windows CA store or the browser CA store depending on the browser used?

The SAS 9.4 Web Server (which includes Apache Web Server) can be configured to send the certificate chain to a web browser client. As long as the root certificate of the chain is in the browser CA store (as you would expect for an EV cert) then you should not need to make any changes to the browser. I don't have an EV certificate to test with my SAS mid-tier, but do have an intermediate CA with a self-signed root CA. I only have to add the self-signed root CA cert to the browser CA store because it is not already there.

 

Using openssl s_client I can see the whole certificate chain being sent back by the SAS Web Server (edited version below):

 

openssl s_client -showcerts -connect  sasserver.example.com:8343

CONNECTED(00000003)
depth=2 C = AU, O = Example, CN = Example Root CA
verify return:1
depth=1 C = AU, O = Example, CN = Example Sub CA2
verify return:1
depth=0 C = AU, O = Example, CN = sasserver.example.com
verify return:1
---
Certificate chain
 0 s:/C=AU/O=Example/CN=sasserver.example.com
   i:/C=AU/O=Example/CN=Example Sub CA
-----BEGIN CERTIFICATE-----
**** PEM encoded server cert here ****
-----END CERTIFICATE-----
 1 s:/C=AU/O=Example/CN=Example Sub CA
   i:/C=AU/O=Example/CN=Example Root CA
-----BEGIN CERTIFICATE-----
**** PEM encoded Example Sub CA cert here ****
-----END CERTIFICATE-----
 2 s:/C=AU/O=Example/CN=Example Root CA
   i:/C=AU/O=Example/CN=Example Root CA
-----BEGIN CERTIFICATE-----
**** PEM encoded Example Root CA cert here ****
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AU/O=Example/CN=sasserver.example.com
issuer=/C=AU/O=Example/CN=Example Sub CA
---

 

In my /opt/sas94m5/config/Lev1/Web/WebServer/conf/extra/httpd-ssl.conf file I have the following:

 

 

SSLCertificateFile "ssl/sasserver.example.com.crt"
SSLCertificateKeyFile "ssl/sasserver.example.com.key"
SSLCertificateChainFile "ssl/sasserver.example.com-ca-chain.crt"

The /opt/sas94m5/config/Lev1/Web/WebServer/ssl/sasserver.example.com-ca-chain.crt file specified in SSLCertificateChainFile contains the PEM encoded CA certs (intermediate then root).

 

Thanks Paul for your input!

I also already asked this. If the SSLCertificateFile and SSLCertificateChainFile point to the right certs. He said he did go over these as well. But I will bring this up again with him and report back here.

He was given the server.crt, private.key and bundle.crt. During config of SAS server and install of ssl, are you asked to upload files for each directive? Then it's very clear which file to upload for each directive. I wonder what went wrong.

When I do my SAS 9.4 server install I break it into phases:

1) install-only (no deploy) to get a populated sashome

2) add my custom CA certs (intermediate and root) to SAS Trusted CA Bundle - see Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager

3) deploy-only to get populated Lev1

 

 

If you have an EV cert from a well known CA then I imagine you will have skipped 2 (or only added the intermediate) and perhaps combined 1 & 3 into a single step.

 

Looking at my recorded deployment response file, I can only see the server cert specified and looking at my notes I don't see any references to SSLCertificateChainFile, however based on the name of the file I highly suspect it was a manual post-deployment change to the Apache config by me - along the lines of Updating the Key and Certificate That Are Used by SAS Web Server but with a SSLCertificateChainFile that contains the PEM encoded intermediate and root certs.

 

From memory, with the SAS Deployment Wizard Typical level of prompting, you get to specify the server cert and key files (but not chain file).