Skip to Content
Technical Articles
Author's profile photo Sai Kumar Dudala

Renewal of SAP Router Certificate

Introduction-

Here in this Blog i would like to explain the complete process on How to renew SAP Router Certificate.

Main Activity

Renewing SAP Router Certificate.

 

About SAP Router

It acts as a proxy in a network connection between SAP systems, or between SAP systems and external networks. A standalone SAP program that protects your SAP network against unauthorized access .

Procedure for Renewing SAP Router

Stop Router Service.

  • Login to SAP Router Server and stop Router service.

 

Take backup of SAPROUTER files from OS level.

  • Take a backup of file in usr/sap/saprouter : Cred_v2, srcert, certreq, local.pse

Also you can take a copy of SAPRouter folder

Generating the certificate.

  • Run the following command –

“sapgenpse get_pse -v -r certreq1 -p local.pse”

to generate a certificate in OS level.

  • Enter the new PIN for PSE file two times – ******

  • Now it will ask to provide your Distinguished Name. Give DSN and press Enter.

CN=*********, OU=0000123456, OU=SAProuter, O=SAP, C=DE

  • It will create a new Certificate file “certreq” in the sap router file system.
  • Open the file ‘certreq’ and copy the content or code from that file.

  • Open Support portal and navigate to SAP Router page where your Router is configured and click on Submit CSR

 

  • Paste the copied data from here as shown below and hit on Request Certificate.

  • Copy the generated response.

  • Paste it in “srcert” file and save.

  • Now run the following command and give the PSE Pin :– ********

sapgenpse.exe import_own_cert -c srcert -p local.pse

This command will import the response that copied into “srcert” file.

  • Now run the following command to create a file “cred_v2”.

sapgenpse seclogin -p local.pse -O <saprouter user>

sapgenpse seclogin -p local.pse -O Administrator

  • Verification of the Router can be done by running following command.

sapgenpse get_my_name -v -n Issuer

 

Start SAP Router service

 

Post Verification checks.

 

Validation check in Support Portal

SAPRouter Status check

  • Run the command whether the Router is running or not.

Saprouter -l

SAPRouter Validity check

  • SAP Router Certificate Validity

sapgenpse get_my_name -n validity

 

Conclusion

This is the complete process of renewing SAP Router Certificate. Feel free to post any comments or queries related to this topic.

Assigned Tags

      13 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Dmitriy Medved
      Dmitriy Medved

      Thanks for help!

      Author's profile photo Elizabeth Rodriguez
      Elizabeth Rodriguez

      Thanks Sai Kumar, only want to add the right command if you are using the new crypto Library @256 bit of encryptation

       

      sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "Put Here your DN"

      Author's profile photo Sai Kumar Dudala
      Sai Kumar Dudala
      Blog Post Author

      Thankyou

      Author's profile photo Dinesh Babu
      Dinesh Babu

      Hello,

      Does Renewal of SAP Router certificate includes any cost.

      Author's profile photo Sai Kumar Dudala
      Sai Kumar Dudala
      Blog Post Author

      No

      Author's profile photo Ketan Sood
      Ketan Sood

      Very Helpful Blog. I can see the new certificate at the portal but after starting the SAPRouter, I can see error in dev_rout file saying own certificate has expired. Any Idea , what could be the reason of this problem ?

      Br,

      Ketan

      Author's profile photo Gujarat HRMS Cell
      Gujarat HRMS Cell

      Very nice post.

       

      Rename or delete cred_v2 file.

      Author's profile photo Jaime Rodriguez Jr
      Jaime Rodriguez Jr

      thanks for your help it's was totally useful, now the router is working properly I could not have done without this

       

      Regards

      Author's profile photo Vinod Gurnani
      Vinod Gurnani

      Thanks Sai Kumar,

      Author's profile photo Andrei Stefanescu
      Andrei Stefanescu

      Very nice document! Thank you.

      Author's profile photo Fasih Fasihuddin
      Fasih Fasihuddin

      get_pse: Distinguished name of PSE owner  what name givein

      Author's profile photo Vinit Agarwal
      Vinit Agarwal

       

      when satar saprouter service facing this issue please help

       

      saprouter.exe -r

      invalid lines in ' ./saprouttab , see 'dev_rout' nirout.cpp 11122

      Author's profile photo Gary Dunham
      Gary Dunham

      Great post this is still relevant in 2023. I did come up with one issue with the error:

      get_pse: Can't create PSE.

      It was related to the system variables not set correctly for "SECUDIR." This variable needed to be pointed the saprouter folder in C drive.