Creating arbitrary PSEs using ‘sapgenpse’ command-line tool.

Overview:

For some specific scenarios, the official product documentation explicitly asks for a PSE to be created using the ‘sapgenpse’ command-line tool. This is not a common procedure since most SAP systems already provide a dedicated program/transaction/wizard to create and maintain PSE files (e.g. transaction STRUST for NetWeaver ABAP), therefore only use this procedure when you are explicitly informed.

Requirements: 

1. CommonCryptoLib >= 8.5.x ** The latest version from the library can be downloaded from the SAP Software Download Center.

Step-by-step:

1. Let’s check the documentation for sapgenpse from the command-line. You can run ‘sapgenpse -h‘ to get the general sapgenpse documentation. As you can see below all available functions and a brief description will be displayed:
2. ‘gen_pse’ is the function that generates a new PSE file. First let’s check it’s documentation to confirm how to properly use it:
   

   As we can see the documentation is detailed, and contains multiple examples of how to execute the command.

3. Generating a PSE file will differ for each scenario, therefore be aware that the example provided below may not be suitable for your specific scenario:

   $ sapgenpse gen_pse -p <PSE file name> -a <key type, strength and signature algorithm> -x <PSE password> “DN”

   

Optional:

For some scenarios signing the PSE certificate with a valid CA will be required, the steps below will detail how to generate the certificate request and then import the CA response using sapgenpse:

1. Generating the certificate request using sapgenpse:

   $ sapgenpse gen_pse -p <PSE file name> -onlyreq -x <PSE password>

   

   The certificate request can be copied from the output and sent to the CA for signing.

2. ‘import_own_cert’ is the sapgenpse function that must be used to import the CA response in the PSE.

   a. First let’s check how the function should be used:
   $ sapgenpse import_own_cert -h

   

   b. When importing the CA signed certificate response in the PSE, make sure that the entire certificate chain is also being provided using the ‘-r’ option:
   $ sapgenpse import_own_cert -p <PSE file> -x <PSE password> -c <CA response file> -r <additional certificate file 1 (it can be used multiple times)> 

Exporting the PSE certificate can be required for some scenarios, the following command will export the certificate.

1. Function ‘export_own_cert’ should be used. Let’s check it’s documentation:
   $ sapgenpse export_own_cert -h

   

2. As described in the function documentation that are multiple options to export the PSE certificate, and depending on the specific requirements you should choose the correct option, that will probably be described in the official documentation.