Skip to Content

Using a self signed certificate with SAPCrypto for BI-HANA-SAML-SSO

Following the discussion at on whether to use SAPCrypto or OpenSSL for configuring HANA SSL ( a pre-requisite to BI HANA SAML SSO)  I decided to use SAPCrypto in a recent project.

Most of the instructions with SAP Crypto, I found involved getting your certificate signed by a CA. SAPCrypto itself doesn’t self-sign. For the BI-HANA SSO piece customers are usually ok with a self-signed certificate. However you should always discuss the signing options with the customer. This blog details instructions of using a self-signed certificate with SAPCrypto for configuring HANA-SSL to be used with BI-SAML-SSO.

Ling Zhu has a very detailed blog here Setup SAML SSO from BI to HANA using CommonCryptoLib or SapCryptoLib for using a certificate signed by a  CA.

Step 1 is the same as outlined in the Ling’s blog

Step 2. Create the  self-signed certificate request using SAP Crypto for use with SSL

  1. Create a new PSE and PKCS#10 certification request using the sapgenpse tool

sapgenpse gen_pse -p sapcli.pse -r sapcli.req

When asked for a PIN, leave it empty. The distinguished name of the PSE owner has to look like “CN=<your fully qualified hostname>, …”

For HEC systems use the FQDN used by the customer. You should be able to ping this from your linux terminal.

2. For signing this certificate we will use OpenSSL. Generate a root certificate using

First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:

openssl genrsa -out ca.key 4096

If you want to password-protect this key, add option -des3.

Next, we create our self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:

openssl req -new -x509 -days 1826 -key ca.key -out ca.crt


The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.

3. Now sign your certificate request using this key and root certificate to get the PKC#7 response.

openssl x509 -req -days 1095 -in sapcli.req -sha1 -extensions usr_cert -CA ca.crt -CAkey ca.key -CAcreateserial -out sapcli.crt

This signed certificate will be valid for 3 years.

SAPCrypto expects the full certification path in the PKC#7 response – you have to append the certificate of the certification authority to the generated response

cat ca.crt >> sapcli.crt

A cat of sapcli.crt should show you two ‘begin’ and ‘end’ certificates.

4. Now we import this #PKC7 response into the  the PSE.

sapgenpse import_own_cert -p sapcli.pse -c sapcli.crt

5. Copy sapcli.pse to sapserv.pse

cp capcli.pse sapsrv.pse

6. The trust store PSE needs to contain the public X.509 certificate of the certification authority that signed your request. Add it to the PSE

sapgenpse maintain_pk -p sapsrv.pse -a ca.crt


7. Make the appropriate settings in the global.ini configuration


8. Restart HANA. Check that you are able to login to HANA studio using SSL


Follow the subsequent steps 4. from Ling’s blog here Setup SAML SSO from BI to HANA using CommonCryptoLib or SapCryptoLib 

for incorporating the BI4.1 IDP certificate


Disclaimer: The information contained in this Blog is intended solely to provide general guidance for the personal use of the reader, who accepts full responsibility for its use. Use at your own Risk. Technology is ever-changing and the Blog may not be accurate when read. In no event will SAP, or its partners, employees or agents, be liable to you or anyone else for any decision made or action taken in reliance on the information in this Blog.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.