Skip to Content

During installation of the SMP 3.0 server, it will automatically generate a self-signed certificate that will be used for Agentry server authentication (among other things).  This certificate will be based on the fully qualified domain name (FQDN) at the time of the installation.  Should this change for any reason or need to reference an external name versus an internal name you will need to regenerate the certificate.

This document outlines the steps needed to regenerate the certificate using the Java keytool utility.  Please note that you will need to know the Keystore password you specified during installation of the SMP 3.0 server to perform these steps.  These commands assume the SMP Java directory is in your path and that you are executing the commands from the C:\SAP\MobilePlatform3\Server\configuration directory.

Note that with the release of SP08 the keystore filename where the certificate is stored has changed.  Please be sure to use the correct keystore name.

Keystore – pre-SP08 = smpkeystore.jks

Keystore – SP08+ = local_smpkeystore.jks

Note that in SP09 the java version the SMP server is using has changed to Java 8.  As a result I have updated the batch file to set the java directory name.

The steps are the same, only the file where it is stored has changed in SP08.

  1. Remove the existing certificate
    • keytool -keystore {keystore filename} -delete -alias smp_crt -storepass {keystore password}
  2. Create the new self-signed certificate (edit the dname information to match your organization details}
    • keytool -keystore {keystore filename} -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -dname “{C=country, ST=state, L=city, O=myorg, OU=myorgunit}, CN={New FQDN}, emailAddress={your email address}” -ext BC:ca:true -keypass {keystore password} -storepass {keystore password}
  3. Export the new certificate for use with your Agentry clients
    • keytool -keystore {keystore filename} -export -alias smp_crt -file smp_crt.cer -rfc -storepass {keystore password} -keypass {keystore password}
  4. After executing these commands restart your SMP 3.0 server to pickup the new certificate

In my case, I frequently need to regenerate my certificates due to changing networks and IP addresses so I have created the attached batch file to simplify the process.  I simply execute the batch file and it prompts me for the password and new FQDN and performs all the other steps opening Windows explorer to the configuration directory at the end so I can easily install, copy or email the new certificate out.

I have also updated the batch file to account to allow for easily setting the correct keystore name.

To use the batch file.

  1. Download and attached file (unzip if necessary)
  2. Rename from smp3-keygen.txt to smp3-keygen.bat
  3. Edit the smp3-keygen.bat file and set the following variables at the beginning of the file.
    • SMP3ROOT – location of your SMP3 installation
    • SMP3JAVA – directory name of the SMP3 java folder (sapjvm_7 or sapjvm_8 for SP09+)
    • KEYSTOREFILE – the name of the keystore where the cert will be stored (See above based on the version of the SMP3 server you are running)
    • CERTINFO (country, state, locattion, organization, org unit)
    • CERTEMAIL – your email address (included in the certificate)
  4. Run the batch file and input your new FQDN or IP address for the certificate
  5. Enter the keystore password
  6. Import or distribute the new certificate


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Jesper Toft Christensen

    Hi Bill

    Great post!
    Now I have a question đŸ™‚ I’m not that hardcore when it comes to certificates so I might sound like a total tool!

    Initially the default certificate isn’t accepted by for instance Ipad’s. So I was thinking about creating a cert. request and have et signed by Vertias as it should then just work without the end user having to do anything but using the SAP app. right?

    Do you know how you would go about creating that?

    Best Regards


    1. Bill Froelich Post author

      In theory yes, you should be able to obtain a certificate signed by a trusted third party and use that on your SMP server which would mean you do not need to install certificates on the devices (iPads).

      I am not sure what you mean by the default certificate isn’t accepted by iPads?

      As for the process you would need to work with the third party to provide whatever they are requiring.  I have not gone through this process and expect it may be different for each vendor.  I have only used the self generated / signed certificates.

      If you are having problems getting the certificate to install on the iPad please post a question to the SCN forum and myself or others will try to assist.


      1. Jesper Toft Christensen

        Hi Bill

        Thank you for the reply!

        Bill: “I am not sure what you mean by the default certificate isn’t accepted by iPads?”

        All I ment was that in ordre to get the agentry app working in my test enviorment I needed to install the default SMP cert. manually on my devices.

        To avoid that in bigger prod. enviroments I would think it would be easier just to create a cert. request using the keytool somehow and then get Verisign to sign it. Then I would think that the devices would be able to run the app with any manually work need.

        could you please direct me to the correct forum and I’ll post my question there and hope someone have been in the same situation.


        1. Joel Prefontaine

          i would also like the information posted here , as it makes it challenging to do a production environment with an openSSL cert installed to each device(s). Also, I was informed wildcard (* is also not supported at the Agentry level. which I found our when using the 8081 and offloading SSL with F5.  Looking for a simpler way to do this.

            1. Jesper Toft Christensen


              I think people are intrested in knowing how they replace the default certificate with a “propper” signed certificate.

              I know there is alot of info to find on the serviceplace about keytools and so on, but most of it is just generic documentation as in 1000page that migt help hardcore certificate people but the rest of us is kinda screwed đŸ™‚

              1. Joel Prefontaine

                i second that request. Once the ‘proper’ certificate from an org such as versing comes down with one like , what is the next step to get this into the Agentry store with correct alias’s. If its a simple as adding to the ‘trusted root’ store and deleting the smp_crt, great, but it usually isn’t.

  2. Sudhir Lenka

    Thank you so much Bill for such a nice document, It helped me.

    I have a question here.

    In case of a cluster environment(let’s say Prod-1 & Prod-2), Do I need to generate the certificate in one of the node(Prod-1) and pest the same custom certificate in another node(Prod-2). Or I need to export the key from the primary node(Prod-1) and import it into the secondary node(Prod-2) as we do in case SMP-2.3 through AgentryKeyUtility.

    1. Stephen Streeter

      The AgentryKeyUtility is not for the certificate that is used in client server encryption.  But this is was more for making sure the servers use the same internal encryption key.

  3. Jitendra Kansal

    Really helpful document . đŸ™‚

    I was facing an error while pinging the application id in Admin cockpit saying

    Backend system cannot be reached:::Root cause:::Exception during connection execute:hostname in certificate didn’t match:<localhost>!=<>

    (where ‘jk’ is my laptop host name)

    After doing some research, i came to know that smp_crt certificate has value “” for CN key which is causing this issue and PING call is looking for smp_crt alias which should have CN value=jk (hostname).

    With the help of steps mentioned in this doc, i am able to change CN and ping is working successfully.

    Last week i did a fresh installation of SMP3 SP06 on my laptop, during installation i selected country as ‘INDIA’ but my current location is in GERMANY.

    Bill Froelich

    By default, CN value of smp_crt should be the system host name. Could this be the reason of automatic renaming of smp_crt CN value as my laptop was connected to internet (Germany ISP) during installation?



    1. Bill Froelich Post author

      Correct.  The smp_crt will be generated with the fully qualified domain name (FQDN) of the system at the time of installation.


  4. Artsrun Ohanyan

    You need to generate the SMP3 Server certificate using the SHA1withRSA signature algorithm when you are using Agentry Client for Windows Mobile.

    If you are not using Windows Mobile and wish to generate a certificate using the stronger signing algorithm, just change “SHA1withRSA” in the instructions to “SHA256withRSA”.

  5. André Nehm

    Hi Bill,

    we use the SMP 3.0 Server SP08 and try to use your script. The first step (backup the certificate) ist ok. But in the second one (create the new certificate) we get a error: “unknwon operation -ext”.

    What do we wrong.

    Thanks André

    1. Artsrun Ohanyan

      The SMP3 SP08 Server certificate (alias name: smp_crt) is now stored separately in local_smp_keystore.jks instead of smp_keystore.jks.

      Please attach the command line you run, and the error message you see, in case you still have any issues.

      1. André Nehm


        here is the key_gen.bat as text (i don’t know how i can insert files) and the error from command tool.




        @echo off


        REM ********************************************

        REM Define your local environment settings here

        REM ********************************************

        set SMP3ROOT=C:\SAP\MobilePlatform3

        set CERTINFO=C=DE, ST=DE, L=DRE, O=Consultant, OU=Global PS


        REM ********************************************

        set PATH=%SMPROOT%\sapjvm_7\bin;%PATH%

        echo ================== WARNING ================

        echo This will replace your existing certificate with a new one, 

        echo the old keystore file will be backed up to locale_smp_keystore.jks.backup!

        echo ===========================================


        echo ——————————————-

        echo Enter FQDN for Certificate

        echo ——————————————-

        set /p FQDN=Enter Hostname or IP address for the new SMP3 certificate?


        echo Will generate new certificate for %FQDN%

        echo Enter Ctrl-C to abort or



        echo ——————————————-


        set /p KEYSTORE_PW=Enter keystore passphrase:

        echo ——————————————-c

        echo Changing to the SMP3 directory

        cd /d %SMP3ROOT%\Server\configuration


        echo ——————————————-

        echo backup existing locale_smp_keystore.jks

        echo ——————————————-

        copy locale_smp_keystore.jks locale_smp_keystore.jks.backup

        echo ——————————————-

        echo remove the old smp_crt certificate

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -delete -alias smp_crt -storepass %KEYSTORE_PW%

        echo ——————————————-

        echo create the certificate for smp_crt

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -ext BC:ca:true -dname “%CERTINFO%, CN=%FQDN%, emailAddress=%CERTEMAIL%” -keypass %KEYSTORE_PW% -storepass %KEYSTORE_PW%

        echo ——————————————-

        echo export the certificate for clients

        echo ——————————————-

        keytool -keystore local_smp_keystore.jks -export -alias smp_crt -file smp_crt.cer -rfc -storepass %KEYSTORE_PW% -keypass %KEYSTORE_PW%

        echo ——————————————-

        echo completed. review above if there have been errors, else your

        echo keystore has been updated with a new certificate.

        echo ——————————————-


        start explorer %SMP3ROOT%\server\configuration



              1. André Nehm

                Hi Artsrun,

                i can’t see your email adress because it is private. An i cant send you a message because  i can only send to “friends and connections”. But you can download the command line and the error message here:


                Thanx, André

  6. Vishal Parikh

    Hi Bill,

    This is very helpful post..!!

    Has anyone attempted a Linux/Unix version of the script yet?

    Please share if it exists anywhere.



  7. Kunal Varaiya

    Hello Bill ,

    I could not find file for SP09 + version regenerating certificate (May you please attached one more time with steps) it may help us .

    i tried with OlD file but its not working .

    Thanks & Regards,
    Kunal Varaiya

  8. Shilpa N


    I couldn’t find the files required to regenerate the certificate.
    Could you let me know where I can get the keystore files.



Leave a Reply