CAs around the world only sign certificate requests with key length equal (or higher than) 2048 bits. If you have a PSE with key length equal to 1024 bits, then you cannot create such certificate request (with 2048 bits).

The solution is replacing the SSL PSE and then adjusts the Key Length property.

Scenario with Key Length = 1024 bits

The PSE has the key length = 1024 bits (for a system with kernel 7.20 or higher you can have this information via STRUST):


Replace1.png


You can also obtain the key length information using sapgenpse, with the command: sapgenpse get_my_name -p SAPSSLS.pse:


Replace2.png


Replacing the PSE

Via STRUST, you can use the context menu and select the option “Replace”:

Replace3.png


You need to confirm the PSE replacement:

Replace4.png


Select the new Key Length (i.e. 2048):

Replace5.png


Now inform the instance specific CN, according to the application servers you have (in the example below, only one application server exists):

Replace6.png


Now it is possible to create the certificate request, submit to any CA, and then import the certificate response.

Scenario with Key Length = 2048 bits

As the result of the PSE replacement, it is possible to check the new key length:

Replace7.png

More information

SAP note 1178155 provides the steps to replace the PSE in productive environments.

SAP note 1856192 shows how to have a PSE with key length > 2048 bits.

You may also read the following blogs:

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply