Skip to Content
Author's profile photo Former Member

Sap Router Certificate Renewal Process

SAPROuter Validity.png

This is the process to check for the validity of the saprouter certificate and re-apply this. 

  • From command prompt, give this command:

sapgenpse get_my_name -n validity

  • This will show the validity. Please see screenshot highlighted. It is showing validity expired on Jun 17, 2011.

When the validity is showing as expired, proceed as follows:

  • Stop the Saprouter from the services panel. 


  • Make a backup of the folder: C:\SAProuter\SAProuter.  

              This folder contains the saprouter files and might be needed for a restore if any issues

  •   Then check the following environment variables as shown below:



Environment Variables.png

  • Delete these 4 files in C:\SAProuter\SAProuter  ( Ensure that you have taken the backup in the previous steps )


  • Generate the certificate request using the following command

sapgenpse get_pse –v –r certreq –p local.pse “your distinguish name”

Distinguishable name.png

The distinguish name is available from the command:

sapgenspe get_my_name

The distinguish name in this case is the entire details following Subject.

Then we generate the cert request. See below screenshot

sapgenpse get_pse –v –r certreq –p local.pse “your distinguished name”

It will ask for entering the PIN. Enter any 4 digit number. Please remember and save the same. This pin will be needed for access to the PSE.

Once the request is created, it creates the file certreq   under location: C:\SAProuter\SAProuter

  • Then Login to service marketplace under:

  1.   à Apply Certificate

This opens the form below. Select Continue


  • Paste the contents of the certreq file generated above as below, and then “Request Certificate”. See below

    Cert request.png

  • Copy the details of the new certificate generated and then paste it in a new file srcert in the location C:\SAProuter\SAProuter.

  • Then import the new certificate using:


C:\SAProuter\SAProuter>sapgenpse import_own_cert -c          “C:\SAProuter\SAProuter\srcert” -p local.pse
Please enter PIN:
CA-Response successfully imported into PSE “C:\SAPRouter\SAProuter\local.pse”

  • Then run this command to generate the file cred_V2 in the saprouter directory.

              sapgenpse seclogin –p local.pse

  • Check if the certificate has been loaded correctly by using the following


sapgenpse get_my_name –v –n Issuer

C:\SAProuter\SAProuter>sapgenpse get_my_name -v -n Issuer
SSO for USER “SAPRouter.1”
with PSE file “C:\SAPRouter\SAProuter\local.pse”

Subject : CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Serialno: BD:43:BA:2D:74:72:35:B0:10:01:02:22:A7
KeyInfo : RSA, 1024-bit
Validity – NotBefore: Mon Jun 20 11:58:38 2011 (110620015838Z)
NotAfter: Wed Jun 20 11:58:38 2012 (120620015838Z)

This shows that the certificate has been renewed.

  • The saprouter owner here is the user svc-saprouter and we need to give the saprouter permission to this user:

              C:\SAProuter\SAProuter>sapgenpse seclogin -p local.pse -O svc-saprouter
running seclogin with USER=”SAPRouter.1″
creating credentials for user “NMLCLAP03\svc-saprouter”…
Please enter PIN:
Adjusting credentials and PSE ACLs to include “NMLCLAP03\svc-saprouter”.
C:\SAPRouter\SAProuter\cred_v2 … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
C:\SAPRouter\SAProuter\local.pse … ok.
Added SSO-credentials for PSE “C:\SAPRouter\SAProuter\local.pse”
“CN=mobilise, OU=0000912221, OU=SAProuter, O=SAP, C=DE”

Once it is done, we need to restart the saprouter. And the RFC connection SAP-OSS worked.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Rishi,

      Thanks for your blog. It is very helpful.

      Author's profile photo Former Member
      Former Member

      Very nice article Rishi!

      Normally the saprouter certificate is valid for one year - is there the possibility to renew for more than one year?


      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Suraj

      Thanks ..

      I think 1 year validity is the default for the sap router certificate ..


      Author's profile photo BASIS Team
      BASIS Team

      This is really helpful

      Only one problem I have seen in this, is that we need not give the command in full with "your distinguish name"

      sapgenpse get_pse –v –r certreq –p local.pse "your distinguish name"

      giving the command -: sapgenpse get_pse –v –r certreq –p local.pse

      It will ask for the distinguish name

      Author's profile photo Diggesh Joshi
      Diggesh Joshi

      Thank you for putting this document.

      Author's profile photo Former Member
      Former Member


      I am having a problem generating the certreq. After I run sapgen get_pse..."dist name",

      I was/am generating the local.pse file but no certreq generated.

      Please shere on how I could address this case,


      Author's profile photo Gaurav Rana
      Gaurav Rana

      Could you generate a new thread with detailed issue.

      Author's profile photo Karel Daniels
      Karel Daniels

      SAP is changing the process, with small differences in the procedure.

      Follow this link for correct instructions:

      Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

      Author's profile photo Naveen K S
      Naveen K S

      Can we generate a certificate before expiry or after expiry ?

      Author's profile photo Manuel Martins
      Manuel Martins

      You can do it at any time.

      Obviously, if you do it after expiry you will have service downtime, so the recommendation is to renew before expiry.