You (or whoever managing your saprouter) may have received the following advisory already.

If not, regardless it’s been past April 15th and we only have less than 3 months to act on this.

For those who are using saprouter VPN appliance, fear not as this only affects those customers who connect to SAP via SNC.

Affected customers should act now, else your SAPOSS connection will cease July 18th 2015.


SAP suggests to follow SAP note 2131531 to renew the saprouter certificate signed by the new SAP CA.

In addition to the instructions that are readily available in the SAP note and the detailed instructions link, this blog provides additional information in the hopes of helping you go through this renewal process easily and with little impact as possible. For example, the steps detailed in this blog allows you to test the connection before switching live to it.

SAP note/KBA:

2131531 – New Root Certification Authority for saprouter certificates

Detailed instructions:

Installing the sapcrypto library and starting the SAProuter | SAP Support Portal


1. Download the latest saprouter

As in the detailed instructions, follow the path. Also note that SAProuter 7.42 is available as of writing (latest patch level 111)

> Support Packages & Patches

> A-Z Alphabetical List of Products

> S



> your preferred O.S. version

> saprouter_XXX-XXXXXXXX.sar

2. Download the latest SAP Cryptographic Library

SAP Cryptographic Library Patch version 8435 is available as of this writing

>Support Packages & Patches

> A-Z Alphabetical List of Products

> S



> your preferred O.S. version


3. Create a new saprouter folder and extract the saprouter and cryptographic library files

NOTE: This is important if you want minimal disruption in your SAP link!

Create the new folder (e.g. /usr/sap/saprouter2). Copy the 2 sar files which you have previously downloaded to this folder.

Extract the sar files


# SAPCAR -xvf saprouter_111-*.sar


Also copy your existing saprouttab to this new folder


# cp /usr/sap/saprouter/saprouttab /usr/sap/saprouter2

4. Generate a new PSE and CSR

Set SECUDIR and SNC_LIB environment variables first

e.g. for csh in UNIX

# setenv SECUDIR /usr/sap/saprouter2

# setenv SNC_LIB /usr/sap/saprouter2/

Then generate the PSE and CSR – where your CN is provided by SAP when you first requested the setup of your saprouter

# sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse “CN=<saprouterhost>, OU=<customernumber>, OU=SAProuter, O=SAP, C=DE”

Type in your PIN/passphrase when prompted.

View contents of the generated certreq CSR file, copy the text beginning from




into your clipboard

5. Paste the request/CSR to SAPRouter Certificates area

Logon to SAProuter Certificates | SAP Support Portal

Click on “Apply for a SAProuter certificate”

If you have multiple saprouters, choose the right one that you’re working on

Click Continue

In the TextArea, paste your CSR content

Click Request Certificate

The next screen will show you the signed certificate.

Copy text beginning from




to your clipboard

6. Create a new srcert file and paste the signed certificate

In your new saprouter directory, create a new file called srcert.

Paste the signed certificate to that file and save.

7. Import the signed certificate to your PSE

# sapgenpse import_own_cert -c srcert -p local.pse

Confirm that the import was successful.


CA-Response successfully imported into PSE “/usr/sap/saprouter2/local.pse”

8. Create credentials for your PSE and secure your credentials file

# sapgenpse seclogin -p local.pse -O <user_for _SAProuter>

Type in your PIN/Passphrase when prompted

This generates the cred_v2 file

Secure your credentials file

e.g. for UNIX

# chmod 400 cred_v2

9. Confirm if certificate is imported successfuly

#  sapgenpse get_my_name -v -n Issuer

This should result to

Issuer  : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

10. Import the old SMP CA Root certificate if today’s date is before July 18th 2015.

Download the CA certificate from SAP note 2131531 (scroll down to attachment section)

Copy the smprootca.der to the new saprouter directory.

Import the certificate

# sapgenpse maintain_pk -a smprootca.der -p local.pse

Type your PIN/Passphrase when prompted

11. Test your new saprouter

e.g. in UNIX

# saprouter -r -S 3298 -K “p:CN=<host>, OU=<customer number>, OU=SAProuter, O=SAP, C=DE” -V 3

Note that with -S option you set the saprouter to listen to a different port other than the usual 3299. You can also set -V 3, so you get more trace info.

Set your SAPGUI or in transaction SM59, create a copy of your SAPOSS connection (e.g. copy to SAPOSS2).

Set the saprouter string (Msg.Server field) to use the above port



Test the connection.

Open or tail the dev_rout trace file to see if there are any errors


# tail -f dev_rout

11. Switch to your new saprouter when ready!

In UNIX you can do the following

saprouter -s

mv /usr/sap/saprouter /usr/sap/saprouter.old

mv /usr/sap/saprouter2 /usr/sap/saprouter

<start saprouter script> – something like

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Igor Taratutin

    Maybe it’s just a Windows – after renaming saprouter2 folder to saprouter I get error on test:

    C:\saprouter>sapgenpse get_my_name -v -n Issuer

    Opening PSE “C:\saprouter2\local.pse”…

    get_my_name: Couldn’t open PSE “C:\saprouter2\local.pse” (Token application not existing)

    So looks like I have to recreate PSE…


Leave a Reply