Maintaining SAP HANA Trust Stores 
The SAP HANA trust store contains the root certificate authority (CA) that is used to sign the trusted certificates required for SSO authentication.
Prerequisites
To maintain the trust stores for SAP HANA and the SAP Web Dispatcher, you need the following libraries and utilities, which you can download from the SAP Service Marketplace (SMP):
The SAP encryption library libsapcrypto.so
The SAP trust store generation utility sapgenpse
Note
The SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori / SAP Smart Business system landscape.
Procedure
Install the SAP HANA encryption library.
Put the encryption library libsapcrypto.so in the following location on your SAP HANA server: /usr/sap/<SAPHANAInstance>/SYS/global/security/lib2.
Install the SAP HANA trust store utility.
Put the trust store utility sapgenpse in the following location on your SAP HANA server: /usr/sap/<SAPHANAInstance>/SYS/global/security/lib3.
Create the trust store files.
You need to set up several trust stores, for example, for SAP HANA and for the SAP Web Dispatcher.
Set up the SAP HANA trust store sapsrv.pse.
./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/sapsrv.pse
NoteDo not define a personal identification number (PIN) for the trust store (press ENTER twice when prompted for the PIN). For the Distinguished name of PSE owner type CN=<yourhostname>, where <yourhostname> is the host name of the SAP HANA server.
End of the note.Set up the SAP Web Dispatcher trust store SAPSSL.pse.
./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/SAPSSL.pse
Set up the trust store sapcli.pse.
./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/sapcli.pse
Have the trust store (.pse files) signed by a CA.
All the trust stores you create in this step are self-signed. In a productive environment, you must have the trust store files signed by a CA.