Renewing the Server's Certificate

 Renewing the Server's Certificate

Use

You should renew the server's certificate before it expires. Otherwise, after it expires, the server can no longer communicate with its communication partners using SNC.

If you are using a trusted CA, then refer to the CA's renewal policy. If the server uses a self-signed certificate, then you must generate a new key pair and public-key certificate and maintain it in the communication partners' certificate lists as described below.

Prerequisites

• The SAP Cryptographic Library has been installed.
• The environment variable SECUDIR has been set to the location where the PSE is stored.
• The PSE exists on the server.

Procedure

1. Generate a new key pair and public-key certificate for the server (sapgenpse get_pse command).
2. If you use a single PSE for all components, then copy the new PSE to each of the component's hosts.

3. Otherwise, if you use individual PSEs, then you must re-exchange the public-key certificates:

   1. Export the server's certificate (sapgenpse export_own_cert command) and make it available to the communication partner's host.
   2. For each of the server's communication partners:
   3. 1. Remove the server's expired public-key certificate from the communication partner's certificate list (sapgenpse maintain_pk command).
      2. Add the server's new public-key certificate to the communication partner's certificate list (sapgenpse maintain_pk command).

For more information on the corresponding sapgenpse commands, see:

• Generating a PSE for the Server
• Exporting the Server's Certificate
• Maintaining the Server's Certificate List