Requesting Certificates (SAP Library - Search and Classification (TREX))

Requesting Certificates

Use

You use the SAPGENPSE cryptography tool to create a request for a client certificate with your certification authority (CA).

Prerequisites

You have already created the keystore SAPSSLS.pse for the configuration of secure communication (HTTPS) between the TREX preprocessor and the Web server of the application using TREX (see Generating a Keystore Using SAPGENPSE).

Procedure

...

You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.

1. Generate a request for a client certificate from your CA by entering the following:

sapgenpse gen_pse-onlyreq -p SAPSSLS.pse

Overview of Commands for SAPGENPSE

Command	Function
sapgenpse	Starts the cryptography tool SAPGENPSE.
gen_pse	Function of SAPGENPSE that you can use to generate a new keystore and a certificate request.
onlyreq	Generates a certificate request for an existing keystore.
- p SAPSSLS.pse	You specify the file name of the keystore that contains the client certificate here. We recommend entering the name SAPSSLS.pse for the keystore.

2. When you have requested certificates using the keystore, you have to initialize the keystore for use. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running. You do both things by entering the following command:

sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>

Example

sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712

You determine the IIS user using the MS administration tool Internet Information Services.

Command	Function
seclogin	Function of SAPGENPSE that you use to initialize a new keystore for use.
-p SAPSSLS.pse	Specify the path and file name of the keystore that you want to initialize.
-O trex_IISUSer	You use this command to give the user on which the IIS is running access to the keystore.

Note

You can extend a certificate that has expired by using SAPGENPSE to send it to your CA for extending. For more information about this, see Usage of Keystores ® Using SAPGENPSE to Extend Expired Certificates.

Result

You have generated the certificate request and can now send it to your CA. The administrator of the CA checks the request and then issues the actual certificate. You collect the client certificate together with the root certificate of the CA. You can now import and store the requested client and root certificates from your CA in the keystore SAPSSLS.pse.