Renewal of SAP Router Certificate

former_member596653 · ‎01-07-2019

Introduction-

Here in this Blog i would like to explain the complete process on How to renew SAP Router Certificate.

Main Activity

Renewing SAP Router Certificate.

About SAP Router

It acts as a proxy in a network connection between SAP systems, or between SAP systems and external networks. A standalone SAP program that protects your SAP network against unauthorized access .

Procedure for Renewing SAP Router

Stop Router Service.

Login to SAP Router Server and stop Router service.

Take backup of SAPROUTER files from OS level.

Take a backup of file in usr/sap/saprouter : Cred_v2, srcert, certreq, local.pse

Also you can take a copy of SAPRouter folder

Generating the certificate.

Run the following command –

“sapgenpse get_pse -v -r certreq1 -p local.pse”

to generate a certificate in OS level.

Enter the new PIN for PSE file two times – ******

Now it will ask to provide your Distinguished Name. Give DSN and press Enter.

CN=*********, OU=0000123456, OU=SAProuter, O=SAP, C=DE

It will create a new Certificate file “certreq” in the sap router file system.

Open the file ‘certreq’ and copy the content or code from that file.

Open Support portal and navigate to SAP Router page where your Router is configured and click on Submit CSR

Paste the copied data from here as shown below and hit on Request Certificate.

Copy the generated response.

Paste it in “srcert” file and save.

Now run the following command and give the PSE Pin :– ********

sapgenpse.exe import_own_cert -c srcert -p local.pse

This command will import the response that copied into “srcert” file.

Now run the following command to create a file “cred_v2”.

sapgenpse seclogin -p local.pse -O <saprouter user>

sapgenpse seclogin -p local.pse -O Administrator

Verification of the Router can be done by running following command.

sapgenpse get_my_name -v -n Issuer

Start SAP Router service

Post Verification checks.

Validation check in Support Portal

SAPRouter Status check

Run the command whether the Router is running or not.

Saprouter -l

SAPRouter Validity check

SAP Router Certificate Validity

sapgenpse get_my_name -n validity

Conclusion

This is the complete process of renewing SAP Router Certificate. Feel free to post any comments or queries related to this topic.

medved · ‎06-17-2019

Thanks for help!

elizabeth_rodriguez2 · ‎08-26-2019

Thanks Sai Kumar, only want to add the right command if you are using the new crypto Library @256 bit of encryptation

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "Put Here your DN"

former_member555303 · ‎01-08-2020

Hello,

Does Renewal of SAP Router certificate includes any cost.

former_member596653 · ‎01-21-2020

Thankyou

former_member596653 · ‎01-21-2020

No

k_sood · ‎11-27-2020

Very Helpful Blog. I can see the new certificate at the portal but after starting the SAPRouter, I can see error in dev_rout file saying own certificate has expired. Any Idea , what could be the reason of this problem ?

Br,

Ketan

former_member147856 · ‎06-29-2021

Very nice post.

Rename or delete cred_v2 file.

jaime_rodriguez_jr · ‎11-04-2021

thanks for your help it's was totally useful, now the router is working properly I could not have done without this

Regards

former_member12224 · ‎11-24-2021

Thanks Sai Kumar,

stefanescu_andrei · ‎05-16-2022

Very nice document! Thank you.

former_member654794 · ‎08-11-2022

get_pse: Distinguished name of PSE owner what name givein

vinitohm · ‎02-24-2023

when satar saprouter service facing this issue please help

saprouter.exe -r

invalid lines in ' ./saprouttab , see 'dev_rout' nirout.cpp 11122

gdunham · ‎07-18-2023

Great post this is still relevant in 2023. I did come up with one issue with the error:

get_pse: Can't create PSE.

It was related to the system variables not set correctly for "SECUDIR." This variable needed to be pointed the saprouter folder in C drive.