Scribd
Upload
255 views13 pages

SAP Router SSL Certificate Renewal

SAP Router SSL Certificate Renewal Steps

Uploaded by

A Alam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
255 views13 pages

SAP Router SSL Certificate Renewal

SAP Router SSL Certificate Renewal Steps

Uploaded by

A Alam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

5/9/25, 6:04 AM

Basis Corner
Generated on: 2025-05-09 [Link] GMT+0000

Support Content | 1.0

Public

Original content: [Link]

Warning

This document has been generated from SAP Help Portal and is an incomplete version of the official SAP product documentation.
The information included in custom documentation may not reflect the arrangement of topics in SAP Help Portal, and may be
missing important aspects and/or correlations to other topics. For this reason, it is not for production use.

For more information, please visit [Link]

This is custom documentation. For more information, please visit SAP Help Portal. 1
5/9/25, 6:04 AM

How to renew the SAP Router license


Here are the steps to renew SAP Router license :

Before starting the below mentioned steps, please stop the saprouter service.

1) make a new folder in your saprouter directory like <drive>:\usr\sap\saprouter\backup

Cut/Paste certreq, cred_v2, [Link], [Link], srcert in backup directory

2) Run the below command to generate new certificate request

D:\usr\sap\saprouter>sapgenpse get_pse -v -r certreq1 -p [Link]

it will ask for certain parameters you can get your Distinguished name from [Link]

3) After This

Open [Link] site

4) Logon using your [Link] ID and Password

Press Apply now-->Press Continue

5) Open the file: <drive>:\usr\sap\saprouter\certreq1 with notepad

Copy text from this file and paste the text to the request certificate page

Press the Request Certificate

6) Select the generated certificate text and copy and make a text file
[Link] in D:\usr\sap\saprouter directory

Rename the [Link] to srcert only

7) Install the certificate in our saprouter by running

<drive>:\usr\sap\saprouter>[Link] import_own_cert -c srcert -p [Link]

8) Now we have to create the credentials for the SAProuter with command

<drive>:\usr\sap\saprouter>sapgenpse seclogin -p [Link] -O <saprouter user>

This will create a file called cred_v2 in the same directory.

Check if the certificate has been imported correctly

<drive>:\usr\sap\saprouter>Sapgenpse get_my_name -v -n Issuer

Once, all the steps have been performed, please restart your saprouter service.

That's all Done!

Have a nice time!!!!

This is custom documentation. For more information, please visit SAP Help Portal. 2
5/9/25, 6:04 AM

How to replace productive SSL PSE in AS ABAP

CA asks you to create new key pair, but old key is in productive use, if you replace it directly, it will impact productive usage.

You can follow the steps in note 1178155 to generate a new key pair without removing the old key pair.

Here are detailed steps:

[Link] a new SSL Server Identity.

In transaction STRUST, choose the menu option "Environment => SSL Server Identities"

Then, choose "New Entries". Create an entry using the field values SSL ID = 'SRVTMP' and Description = 'Temporary SSL Server
PSE'. Set the flag "Active" (if the flag is available).

This is custom documentation. For more information, please visit SAP Help Portal. 3
5/9/25, 6:04 AM

Include the change in a transport request if required.

[Link] a temporary PSE.

Back to STRUST, you will see a new entry 'Temporary SSL Server PSE' in the PSE tree (it is marked with red 'X').

This is custom documentation. For more information, please visit SAP Help Portal. 4
5/9/25, 6:04 AM

Right click the PSE entry and select "Create" and then input the Subject Name and other options you want.

You can click the pencil button if you would like to input it by yourself.(In case you use same certificate name with the old SSL
Server PSE, you can copy name of SSL Server PSE and paste it.

This is custom documentation. For more information, please visit SAP Help Portal. 5
5/9/25, 6:04 AM

A new PSE with empty certificate list is created:

This is custom documentation. For more information, please visit SAP Help Portal. 6
5/9/25, 6:04 AM

3. Copy certificate list in the old PSE to the temporary PSE.

If the currently active SSL Server PSE contains some certificates in its certificate list, you must transfer these certificates from the
old PSE's certificate list into the certificate list of the new temporary PSE.
To do this, select the active SSL Server PSE and double click the certificate you want to transfer. It will appear in the "Certificate"
area of transaction STRUST. Next, select the temporary PSE with a double-click. The PSE appears in the upper section of the
screen. The certificate to transfer remains stored in the certificate area, so you can now simply add it to the temporary PSE's
certificate list by choosing "Add to Certificate List".

Open the old SSL PSE and double click certificate in "Certificate List":

This is custom documentation. For more information, please visit SAP Help Portal. 7
5/9/25, 6:04 AM

The certificate is shown in "Certificate" section:

Double Click the temporary SSL Server PSE and then Click "Add to Certificate List" button:

The certificate is added into the "Certificate List" of the temporary SSL Server PSE:

This is custom documentation. For more information, please visit SAP Help Portal. 8
5/9/25, 6:04 AM

Repeat these steps for each certificate to be transferred to the new PSE's certificate list.

[Link] the temporary SSL Server PSE certified by CA.

The newly created temporary SSL Server PSE is still self-signed. You can now proceed with creating a certificate request from your
newly created temporary SSL PSE and send this certificate request to the CA. Choose "Edit ==> Create Certificate Request" or the
following button:

Upon receipt of your CA signed certificate, make sure you select the right PSE for import. Import the CA's certificate response by
using the menu function "Edit ==> Import Certificate Response", or by clicking the green arrow button directly under the tag "Own
Certif.".

This is custom documentation. For more information, please visit SAP Help Portal. 9
5/9/25, 6:04 AM
Note that the procedures described in note 508307 may need to be applied when importing certificate responses.

If you would like to do a test, you can use [Link]

5. Replacement preparation.

Firstly, please check the certificate name has been changed(Either by yourself or by CA) . If yes, you need to assign new name to
the old SSL Server PSE. If not, you can skip this step.

If certificate name has been changed, you need to change the certificate name of the SSL Server PSE to the new name.

Right Click SSL Server PSE and select "Change":

This is custom documentation. For more information, please visit SAP Help Portal. 10
5/9/25, 6:04 AM

Paste the new name:

After this, the old SSL Server PSE should have same certificate name as temporary SSL Server PSE.

5. Replace the "old" SSL Server PSE.

Open the temporary SSL Server PSE and Save it as SSL Server PSE:

This is custom documentation. For more information, please visit SAP Help Portal. 11
5/9/25, 6:04 AM

This is custom documentation. For more information, please visit SAP Help Portal. 12
5/9/25, 6:04 AM

Prior to Release 7.10, you must also restart the ICM to activate the changes. (This step is not necessary as of NW 7.10.)

After completing the procedure, you can delete the temporary PSE from STRUST, and either delete the "Active" flag (if available) or
remove the complete entry for the SRVTMP PSE from the system's SSL identities.

This is custom documentation. For more information, please visit SAP Help Portal. 13

You might also like