SAP JAVA HTTPS Cert update with SAN entry


  • Login with sidadm
  • Set ENV variable SECUDIR pointing to /usr/sap/<SID>/<Instance>/sec
  • Take backup of all files under /usr/sap/<SID>/<Instance>/sec
  • Generate new PSE with SAN
    • sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p <SID>J2eeSystemSAN.pse -k GN-dNSName:<hostname with fqdn>
    • Provide Password : *********
    • Provide Distinguished name of PSE owner : CN=<hostname with fqdn>
  • <SID>J2eeSystemSAN.pse will get created and CSR request is printed on to the screen, copy it and submit it to the issuing Certificate authority (like Entrust etc.) to get response
  • Once you get response from CA (Certificate Authorities), you may need to add root and/or intermediate certificate as well.
  • Once response is available, copy it to server as <SID>JavaSSL.csr
  • Import csr in PSE
    • sapgenpse import_own_cert -c <SID>JavaSSL.csr -p <SID>J2eeSystemSAN.pse
  • To upload certificate in NWA/VISUAL-ADMIN, convert it to p12 file
    • sapgenpse export_p12 -p <SID>J2eeSystemSAN.pse -x <PSE Password> -z <PSE Password> <SID>_SSL_<Hostname>
  • For 7.0X or lower systems (Visual Admin)
    • Load this p12 file in KeyStorage -> service_ssl, it will ask for PSE password.
    • Add Name of new entry created as per above step in Server Identity tab under Dispatcher -> Services -> SSL Provider via VISUAL ADMIN
  • For Systems > 7.0X (NWA)
    • Check the Keystore used for SSL in NWA -> Configuration -> SSL
    • Import p12 file in NWA -> Configuration -> Certificate & Keys -> <keysore found in above step>, normally it will be ICM_SSL_<Instance ID>, it will ask for Password
    • Take backup of existing SSL private Key if any by exporting it
    • Delete old Private SSL key if there are two keys now after import of newly generated p12 file
    • Restart ICM

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!