SAP Knowledge Base Article - Public

3197486 - Limitations of the CSR generation tool in SSL Certificates tool - Recruiting Marketing

Symptom

After populating the fields in the CSR form and clicking the Generate button, some values are not accepted and the CSR cannot be generated.

Environment

SAP SuccessFactors Recruiting Marketing

Reproducing the Issue

  1. Select Option 1: To obtain and install your SSL (typical)
  2. Select step 1 : Generate a CSR
  3. Populate fields in 'Generate Certificate Signing Request' form
  4. Click on Generate
  5. Validation errors appear

Cause

This errors are due to product limitations. Some characters are currently not supported in the CSR generation tool. They are:

  • Use of special characters or symbols in the Organization (O) field such as ! @ # $ % ^ * ( ) ~ ? > < / \ ,
    (This is documented in the implementation guide)
    Note the Organization name does not appear anywhere on the site so particular corporate naming conventions are not relevant and such characters can be removed. Note however that diacritical marks such as ä or é are supported.
    Note this is being considered for enhancement in a future release.
  • Use of a number as first character for the subdomain in the Common Name (CN) or Subject Alternative Name (SAN) such as jobs.1.com
    Note this is being considered for enhancement in a future release.
  • Use of wildcard character as first character for the subdomain in the Common Name (CN) or Subject Alternative Name (SAN) such as *.company.com
    Note this is being considered for enhancement in a future release.


Note it is also not currently possible to generate the CSR via the CSB tool without a value populated in the Organizational Unit (OU) field as this field is marked as required.
Note this is being considered for enhancement in a future release.


Another limitation is the fact that even if the email field is populated in the CSR generation form, this will not be shown on the CSR itself for data privacy reasons. Most CAs do not require this information for the same reasons.
If your Certificate Authority insists they must have this information in the CSR then you will need to procure the CSR somewhere else (See KBA 2892001 - What is a CSR - Recruiting Marketing) then use option 2 in CSB  : Upload an SSL certificate that you got using your own CSR. 

Note: For SAN names there are a limitation of 64 characters and should be separated with comma (not semicolon or others special characters)

Resolution

The CSR with special characters cannot be generated via the tool for these particular scenarios but customers can use Option 2: To obtain and install an SSL without generating a CSR. With this option they can generate their own CSR by other means and obtain their certificate then upload it along with their private key. (See KBA 2892001 - What is a CSR - Recruiting Marketing). As a result, this process is still a self service and does not require Support to manually generate the CSR.

See Also

2892001 - What is a CSR - Recruiting Marketing

Keywords

CSR, SSL certificate, error, special character, SAN , KBA , LOD-SF-RMK-CER , Certificate Renewal, IP Address, Domain , LOD-SF-RMK-CSB , Career Site Builder , Problem

Product

SAP SuccessFactors Recruiting all versions