Show TOC

Generating a Keystore using SAPGENPSELocate this document in the navigation structure


You use the cryptography tool SAPGENPSE to generate a keystore in which you can store a certificate. You only need this keystore for storing the root certificate of the portal Web server. It is therefore not necessary that you send the generated certificate request to your CA.


You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.

  1. Generate a new keystore by entering the following command: sapgenpse gen_pse -p SAPSSLS.pse




    Starts the SAPGENPSE cryptography tool.


    Function of SAPGENPSE that you can use to generate a new keystore and a certificate request.

    -p SAPSSLS.pse

    You specify the file name of the keystore that contains the certificate here.

    You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:



    Please enter PIN:

    Do not enter a value. Confirm with Return.

    Please reenter PIN :

    Do not enter a value. Confirm with Return.

    get_pse: Distinguished name of PSE owner:

    Specifies the distinguished name (DN) of the certificate owner.

    Make the following entries:

    CN=myhost.mydomain, C=mycountry, S=mystate, O=mycompany, OU=mydepartment

    Example, C=DE, S=BW, O=SAP-AG, OU=TREX

  2. After you have created a keystore, you have to initialize it for use. In Windows, you must also give the <SAPSID>adm user that created during the TREX installation access permission to the keystores, since otherwise it cannot access the files. You do both things by entering the following command:

    sapgenpse seclogin -p SAPSSLS.pse -O SAPService<SAPSID>

  3. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running.

    sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>


    sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712

    You determine the IIS user using the Windows administration tool Internet Information Services.




    Function of SAPGENPSE that you use to initialize a new keystore for use.

    -p SAPSSLS.pse

    Specify the file name of the keystore that you want to initialize.

    -O trex_<instance_number> or IIS_user

    You use this command to give the user of the TREX instance (created during the installation) and the user on which the IIS is running access to the keystore.


You have created a keystore SAPSSLS.pse into which you can import the root certificate of the portal Web server and store it there.