Skip to Content

Create SHA2 / SHA256 certificate using external tool sapgenpse for SAP JAVA system.


Make sure the CommonCryptoLib is at least version 8.4.11 as per SAP note 1931778

1) Create the SHA2 certificate with below command:         

     Check SECUDIR environment settings if needed adjust environment         

     You can make copy of /usr/sap/<SID>/<INSTANCE>/sec folder         

     If needed you can download and extract the latest SAPCRYPTOGRAPHIC library in this folder

     set SECUDIR=/usr/sap/<SID>/<INSTANCE>/sec

     sapgenpse get_pse -a sha256WithRsaEncryption -s 2048 -p <PSEFile>.pse -noreq -x “, OU=SAP, O=ABC Technologies Ltd, L=Pune, ST=Maharashtra, C=IN”

This will generate the <PSEFile>.pse in the /sec folder

2) Create sso logon for PSE

     sapgenpse seclogin –p <PSEFile>.pse –O <sid>adm –x <password>

3) Create certificate response for CA signing authority

         sapgenpse export_own_cert -o <CRTFile>.csr -p <PSEFile>.pse

Send the <CSRFile>.csr file to signing authority,

send note that we need Base64 .CER format

4) Create Certificate file to be imported into Visual Admin

        sapgenpse export_own_cert -o <CRTFile>-cert.crt -p <PSEFIle>.pse       


     Create Private key file to be Imported into Visual Admin


     sapgenpse export_p12 -p <PSEFile>.pse  <PRIVKeyFile>.p12

5) Import the certificate in Visual Administrator tool

     Start the Visual Admin Tool –> Logon as ADMINISTRATOR server –> TicketKeyStore –> service_ssl –> Load button

Import below files using above option:           

     1) <CRTFile>-cert.crt           

     2) <PRIVKeyFile>.p12

After completion of Import of Private Key & Certificate file.

6) Import the CA Response directly into Visual Admin tool

     copy the CA response file send by CA authority along with ROOT & Intermediate certificate into /sec folder

     Start the Visual Admin tool

     Server –> KeyStorage –> service_ssl –>        

     Click on Import Certificate Response –> Provide the file input from the CA response file        

     Click OK

These steps import the CSR response file into KeyStorage you have selected.

7) Now you can map the new certificate to the SSL Port in Visual Admin

     Dispatcher –> SSL Provider –> select dispatcher –> click on Client Identities tab

     –> click on Add –> it will show you the certificate list –> choose your certificate and click OK

Post completion of above steps, you can either take RESTART of KeyStorage Service and SSL Provider service or take complete application restart.

Now you are good to start with application testing by opening page in your Browser


you should see the lock symbol in url post opening of page.

Congratulations !! You have completed the SSL certificate implementation in SAP JAVA system.


2172534 – NWA is unable to create certifcates with SHA256, create them externally using sapgenpse

1622263 – SAP Release Note for LMAUTOSTD 1.0 SP03


Creating PSE for UME – Portal Security Guide – SAP Library

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply