Skip to Content

How to export the Private Key from a SSL PSE?

Imagine that you purchased a SSL certificate from a given CA. This certificate was imported into a SSL PSE and used for HTTPS access. In certain landscapes, the same certificate should be imported in a different server or device (e.g. a reverse proxy). In order to import the certificate into the other server/device, you also need the private key from the PSE. How to export the private key from the SSL PSE?

First of all, SAPCRYPTOLIB 5.5.5 patch level 16 or higher is required. Then you can export your PSE file to a PKCS#12 file.

The command line is: sapgenpse export_p12 –p <YOUR_PSE> <P12_FILE>

Please note that you must provide a password for the PKCS#12 file!



The next step makes use of a third party tool, openssl. With this tool we can extract both keys (private and public one).

The openssl command line is: openssl pkcs12 -in <P12_FILE> -out <OUTPUT.txt> -nodes:


The same password must be provided above.

The Private Key is now available in the block BEGIN/END RSA PRIVATE KEY, as you can see below:


Of course, I have removed my private key… 😉

You must be Logged on to comment or reply to a post.
  • Hi Cristiano Hansen,

    We have a SUSE linux server. I am having trouble exporting the private key from SSL PSE. I am unable to figure out the procedure to execute this command in linux server

    “The command line is: sapgenpse export_p12 –p <YOUR_PSE> <P12_FILE>”


    Kindly Help,



    • Hi Sasank,

      It is quite simple. In a linux box, as system administrator (SIDadm account), you can run, for example:

      sapgenpse export_p12 -p SAPSSLS.pse privatekeyfile

      You will be asked for:

      Please enter PKCS#8 encryption password:


      For verification, please reenter password:

      Later, if you list the directory content, you will find a p12 file, with your private key.

      In the example above, it generated a file called privatekeyfile.p12

      Kind regards,