Skip to Content

Sap Router Certificate Renewal Process

SAPROuter Validity.png

This is the process to check for the validity of the saprouter certificate and re-apply this. 

  • From command prompt, give this command:

sapgenpse get_my_name -n validity

  • This will show the validity. Please see screenshot highlighted. It is showing validity expired on Jun 17, 2011.

When the validity is showing as expired, proceed as follows:

  • Stop the Saprouter from the services panel. 


  • Make a backup of the folder: C:\SAProuter\SAProuter.  

              This folder contains the saprouter files and might be needed for a restore if any issues

  •   Then check the following environment variables as shown below:



Environment Variables.png

  • Delete these 4 files in C:\SAProuter\SAProuter  ( Ensure that you have taken the backup in the previous steps )


  • Generate the certificate request using the following command

sapgenpse get_pse –v –r certreq –p local.pse “your distinguish name”

Distinguishable name.png

The distinguish name is available from the command:

sapgenspe get_my_name

The distinguish name in this case is the entire details following Subject.

Then we generate the cert request. See below screenshot

sapgenpse get_pse –v –r certreq –p local.pse “your distinguished name”

It will ask for entering the PIN. Enter any 4 digit number. Please remember and save the same. This pin will be needed for access to the PSE.

Once the request is created, it creates the file certreq   under location: C:\SAProuter\SAProuter

  • Then Login to service marketplace under:

  1.   à Apply Certificate

This opens the form below. Select Continue


  • Paste the contents of the certreq file generated above as below, and then “Request Certificate”. See below

    Cert request.png

  • Copy the details of the new certificate generated and then paste it in a new file srcert in the location C:\SAProuter\SAProuter.

  • Then import the new certificate using:


C:\SAProuter\SAProuter>sapgenpse import_own_cert -c          “C:\SAProuter\SAProuter\srcert” -p local.pse
Please enter PIN:
CA-Response successfully imported into PSE “C:\SAPRouter\SAProuter\local.pse”

  • Then run this command to generate the file cred_V2 in the saprouter directory.

              sapgenpse seclogin –p local.pse

  • Check if the certificate has been loaded correctly by using the following


sapgenpse get_my_name –v –n Issuer

C:\SAProuter\SAProuter>sapgenpse get_my_name -v -n Issuer
SSO for USER “SAPRouter.1”
with PSE file “C:\SAPRouter\SAProuter\local.pse”

Subject : CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Serialno: BD:43:BA:2D:74:72:35:B0:10:01:02:22:A7
KeyInfo : RSA, 1024-bit
Validity – NotBefore: Mon Jun 20 11:58:38 2011 (110620015838Z)
NotAfter: Wed Jun 20 11:58:38 2012 (120620015838Z)

This shows that the certificate has been renewed.

  • The saprouter owner here is the user svc-saprouter and we need to give the saprouter permission to this user:

              C:\SAProuter\SAProuter>sapgenpse seclogin -p local.pse -O svc-saprouter
running seclogin with USER=”SAPRouter.1″
creating credentials for user “NMLCLAP03\svc-saprouter”…
Please enter PIN:
Adjusting credentials and PSE ACLs to include “NMLCLAP03\svc-saprouter”.
C:\SAPRouter\SAProuter\cred_v2 … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
Added SSO-credentials for PSE “C:\SAPRouter\SAProuter\local.pse”
“CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE”

Once it is done, we need to restart the saprouter. And the RFC connection SAP-OSS worked.

You must be Logged on to comment or reply to a post.