How to replace the SSL server Standard PSE?

CAs around the world only sign certificate requests with key length equal (or higher than) 2048 bits. If you have a PSE with key length equal to 1024 bits, then you cannot create such certificate request (with 2048 bits).

The solution is replacing the SSL PSE and then adjusts the Key Length property.

Scenario with Key Length = 1024 bits

The PSE has the key length = 1024 bits (for a system with kernel 7.20 or higher you can have this information via STRUST):

You can also obtain the key length information using sapgenpse, with the command: sapgenpse get_my_name -p SAPSSLS.pse:

Replacing the PSE

Via STRUST, you can use the context menu and select the option “Replace”:

You need to confirm the PSE replacement:

Select the new Key Length (i.e. 2048):

Now inform the instance specific CN, according to the application servers you have (in the example below, only one application server exists):

Now it is possible to create the certificate request, submit to any CA, and then import the certificate response.

Scenario with Key Length = 2048 bits

As the result of the PSE replacement, it is possible to check the new key length:

More information

SAP note 1178155 provides the steps to replace the PSE in productive environments.

SAP note 1856192 shows how to have a PSE with key length > 2048 bits.

You may also read the following blogs:

• Use of SHA-2 algorithm family in SSL PSEs
• Use of SHA-2 algorithm family in SSL PSEs, part 2
• Verification of Certificate chain failed