Sap Router Certificate Renewal Process

This is the process to check for the validity of the saprouter certificate and re-apply this. 

• From command prompt, give this command:

sapgenpse get_my_name -n validity

• This will show the validity. Please see screenshot highlighted. It is showing validity expired on Jun 17, 2011.

When the validity is showing as expired, proceed as follows:

• Stop the Saprouter from the services panel. 

                          

• Make a backup of the folder: C:\SAProuter\SAProuter.  

              This folder contains the saprouter files and might be needed for a restore if any issues

•   Then check the following environment variables as shown below:

           SECUDIR

           SNC_LIB

• Delete these 4 files in C:\SAProuter\SAProuter  ( Ensure that you have taken the backup in the previous steps )

  certreq
  cred_V2
  localpse
  srcert

• Generate the certificate request using the following command

sapgenpse get_pse –v –r certreq –p local.pse “your distinguish name”

The distinguish name is available from the command:

sapgenspe get_my_name

The distinguish name in this case is the entire details following Subject.

Then we generate the cert request. See below screenshot

sapgenpse get_pse –v –r certreq –p local.pse “your distinguished name”

It will ask for entering the PIN. Enter any 4 digit number. Please remember and save the same. This pin will be needed for access to the PSE.

Once the request is created, it creates the file certreq   under location: C:\SAProuter\SAProuter

• Then Login to service marketplace under:

1. http://www.service.sap.com/saprouter-sncadd   à Apply Certificate

This opens the form below. Select Continue

• Paste the contents of the certreq file generated above as below, and then “Request Certificate”. See below

   

• Copy the details of the new certificate generated and then paste it in a new file srcert in the location C:\SAProuter\SAProuter.

• Then import the new certificate using:

   

C:\SAProuter\SAProuter>sapgenpse import_own_cert -c          “C:\SAProuter\SAProuter\srcert” -p local.pse
Please enter PIN:
CA-Response successfully imported into PSE “C:\SAPRouter\SAProuter\local.pse”

• Then run this command to generate the file cred_V2 in the saprouter directory.

              sapgenpse seclogin –p local.pse

• Check if the certificate has been loaded correctly by using the following

  command  

sapgenpse get_my_name –v –n Issuer

C:\SAProuter\SAProuter>sapgenpse get_my_name -v -n Issuer
SSO for USER “SAPRouter.1”
with PSE file “C:\SAPRouter\SAProuter\local.pse”

Subject : CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Serialno: BD:43:BA:2D:74:72:35:B0:10:01:02:22:A7
KeyInfo : RSA, 1024-bit
Validity – NotBefore: Mon Jun 20 11:58:38 2011 (110620015838Z)
NotAfter: Wed Jun 20 11:58:38 2012 (120620015838Z)

This shows that the certificate has been renewed.

• The saprouter owner here is the user svc-saprouter and we need to give the saprouter permission to this user:

              C:\SAProuter\SAProuter>sapgenpse seclogin -p local.pse -O svc-saprouter
running seclogin with USER=”SAPRouter.1″
creating credentials for user “NMLCLAP03\svc-saprouter”…
Please enter PIN:
Adjusting credentials and PSE ACLs to include “NMLCLAP03\svc-saprouter”.
C:\SAPRouter\SAProuter\cred_v2 … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
Added SSO-credentials for PSE “C:\SAPRouter\SAProuter\local.pse”
“CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE”

Once it is done, we need to restart the saprouter. And the RFC connection SAP-OSS worked.