Skip to Content
Author's profile photo Cristiano Hansen

How to export the Private Key from a SSL PSE?

Imagine that you purchased a SSL certificate from a given CA. This certificate was imported into a SSL PSE and used for HTTPS access. In certain landscapes, the same certificate should be imported in a different server or device (e.g. a reverse proxy). In order to import the certificate into the other server/device, you also need the private key from the PSE. How to export the private key from the SSL PSE?

First of all, SAPCRYPTOLIB 5.5.5 patch level 16 or higher is required. Then you can export your PSE file to a PKCS#12 file.

The command line is: sapgenpse export_p12 –p <YOUR_PSE> <P12_FILE>

Please note that you must provide a password for the PKCS#12 file!



The next step makes use of a third party tool, openssl. With this tool we can extract both keys (private and public one).

The openssl command line is: openssl pkcs12 -in <P12_FILE> -out <OUTPUT.txt> -nodes:


The same password must be provided above.

The Private Key is now available in the block BEGIN/END RSA PRIVATE KEY, as you can see below:


Of course, I have removed my private key… 馃槈

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Lenehan
      Michael Lenehan

      Got me out of a hole!!! Thanks so much for sharing!

      Author's profile photo Sasank Neeli
      Sasank Neeli

      Hi Cristiano Hansen,

      We have a SUSE linux server. I am having trouble exporting the private key from SSL PSE. I am unable to figure out the procedure to execute this command in linux server

      "The command line is: sapgenpse export_p12 鈥損 <YOUR_PSE> <P12_FILE>"


      Kindly Help,



      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Sasank,

      It is quite simple. In a linux box, as system administrator (SIDadm account), you can run, for example:

      sapgenpse export_p12 -p SAPSSLS.pse privatekeyfile

      You will be asked for:

      Please enter PKCS#8 encryption password:


      For verification, please reenter password:

      Later, if you list the directory content, you will find a p12 file, with your private key.

      In the example above, it generated a file called privatekeyfile.p12

      Kind regards,


      Author's profile photo Sasank Neeli
      Sasank Neeli

      Hi Cris,

      I have attached the screenshot, please suggest. SAP application is on OS Suse Linux 12.2



      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Sasank,

      Please run only sapgenpse and let me know the output.


      Author's profile photo Andr茅s Chac贸n
      Andr茅s Chac贸n

      Hello Cristiano, thanks for this helpful blog.

      I just replicated this process in my scenario:

      I have an SAP Web Dispatcher as a proxy with a valid certificate installed, which is a wildcard SSL cert. I want to install the same certificate in an SAP ERP system, so I generated the PKCS12 file from the Web Dispatcher system, then the .txt with OpenSSL. I used the private key inside the .txt generated (just as you did) and this portal to join the private key and the actual certificate from CA provider, which is .p7b file to generate a new PKCS12 and install it in my SAP ERP system. However, it is not working when I upload my generated pkcs12 (which actually is a .pfx file) inside the SAP ERP system STRUST tcode. The message that STRUST throws is "Certificate response does not match PSE".

      Do you have any idea what could be happening? How do you finally install the certificate in a different system?

      Thanks in advance for your support.


      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Andr茅s,

      If you already have a PSE in the web dispatcher with the wildcard certificate, you can take this PSE and then use STRUST to open it and then save it as the SSL server Standard PSE. There is no need to export/import certificates.



      Author's profile photo Andr茅s Chac贸n
      Andr茅s Chac贸n

      Thanks a lot, Cristiano, you the man. I just tried it with the PSE as you mentioned and works super fine!

      On the other hand, I think I didn鈥檛 get correctly the scenario where the steps you depict in the blog apply for.

      Anyway, sincerely thanks.



      Author's profile photo Monica Sanchez Zepeda
      Monica Sanchez Zepeda

      Hi Cristiano,

      I want to use a wildcard certificate that my PO DEV system has installed under NWA -> Infrastructure -> SSL (the CSR request was generated from here and got it signed from a CA). I succesfully imported this wildcard certificate into Solution Manager, S4Hana and PO QAS system using the private key p12 file which I exported from PO DEV (from NWA) and the root certificate. The connection is secure from these systems.

      My case is inverted, how can I import this wildcard certificate into Web dispatcher?



      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Moni,

      If you have a p12 file, then you can use sapgenpse to convert it into a PSE file, then replace the PSE in the web dispatcher:

      sapgenpse import_p12 -p SAPSSLS.pse my-p12-file.p12

      Then take this new SAPSSLS.pse and replace the one you have in the the "sec" directory of the web dispatcher instance.


      Author's profile photo Senthil Murugan
      Senthil Murugan

      Thank you Cristiano Hansen, very useful.

      I followed the process mentioned by you for our ECC and web dispatcher and it worked.聽 Now looking for steps to use the same cert in our SMP 3.0 server. Would appreciate if you could provide steps for SMP server

      Author's profile photo Frank Haschick
      Frank Haschick

      Just for the one's coming to here from your favorite search page:

      If you don't have backend access to the server, you can use report RSBDCOS0 to execute this command. As this is not interactive, you have to pass the password with parameter z, so e.g.:

      sapgenpse export_p12 -p MYPSE.pse -z Test mycert.p12

      Then download the cert with transaction CG3Y, and you are ready to go 馃檪

      Author's profile photo Sanjeet Pradhan
      Sanjeet Pradhan

      in Linux machine, the fix to this is to type the command manually without copy/paste from notepad. it worked for me and I laughed a little too 馃檪

      please follow: 1780998 - Error: "Huh? I found 2 trailing unrecognized parameters on command line!"