Steps to Renew SSL Standard Instance Certificate (.pfx file)
Many times we receive renewed certificate from CA/Customer in .pfx format around certificate renewal time. As SAP system won’t accept .pfx certificate directly, we first need to convert it into format accepted by SAP system. To achieve this, below are the Steps to Renew SSL Standard Instance Certificate with .pfx file.
Steps to Renew SSL Standard Instance Certificate
- First, we need to convert .pfx file to .pse file so that we can import it in STRUSTSSO2, for this we will use sapgenpse on local PC. Download and extract via https://support.sap.com/en/my-support/software-downloads.html -> Installations & Upgrades -> By Category -> SAP Cryptographic Software -> SAPCRYPTOLIB -> COMMONCRYPTOLIB 8
- Use SAPCAR to exact your file
- Put all files in same folder
- You will need Global Root certificate from CA, execute below command to convert file
# sapgenpse import_p12 -p “Path on PC\<SID>.pse” -r GlobalRoot.cer <path to .pfx file>
- Take backup of existing instance pse
- STRUSTSSO2 -> Expand SSL Server Standard -> Double Click on Instance PSE
- Double click on DN at right-hand side
- PSE -> Save As -> File (Export PSE)

- Save file as .pse
- Note that next step will overwrite the PSE, hence make sure you have backup.
- Double click on File from Left-Hand side menu

- Select the new pse generated from .pfx file, pse will be loaded in right-hand side, double click on it to verify its validity
- PSE -> Save As -> SSL Server (DEFAULT)

- On next screen Select the specific instance from drop-down, Select Radio button to keep certificate list i.e. Select No.
- Confirm on Next Screen.

- Once you select Yes, PSE will be overwritten, and this cannot be undone. Hence make sure you have backup.
- Save & them restart ICM via SMICM if new cert is not reflecting with browser check.
Reference SAP Notes : 2148457 & 1473710