How to replace the SSL server Standard PSE?
CAs around the world only sign certificate requests with key length equal (or higher than) 2048 bits. If you have a PSE with key length equal to 1024 bits, then you cannot create such certificate request (with 2048 bits).
The solution is replacing the SSL PSE and then adjusts the Key Length property.
Scenario with Key Length = 1024 bits
The PSE has the key length = 1024 bits (for a system with kernel 7.20 or higher you can have this information via STRUST):
You can also obtain the key length information using sapgenpse, with the command: sapgenpse get_my_name -p SAPSSLS.pse:
Replacing the PSE
Via STRUST, you can use the context menu and select the option “Replace”:
You need to confirm the PSE replacement:
Select the new Key Length (i.e. 2048):
Now inform the instance specific CN, according to the application servers you have (in the example below, only one application server exists):
Now it is possible to create the certificate request, submit to any CA, and then import the certificate response.
Scenario with Key Length = 2048 bits
As the result of the PSE replacement, it is possible to check the new key length:
SAP note 1178155 provides the steps to replace the PSE in productive environments.
SAP note 1856192 shows how to have a PSE with key length > 2048 bits.
You may also read the following blogs:
thanks for this guide. Although it is old, I think it is still valid.
I have a general question to this PSE/Certificate topic: Replacing the the PSE and creating a certificate request and importing it seems to be an easy task.
But what is the effect of this change? Could it be, that connections to the SAP system do not work anymore? How can I check, who or which system is using these certificates?