Show TOC

Requesting CertificatesLocate this document in the navigation structure

Use

You use the SAPGENPSE cryptography tool to create a request for a client certificate with your certification authority (CA).

Prerequisites

You have already created the keystore SAPSSLS.pse for the configuration of secure communication (HTTPS) between the TREX Preprocessor and the Web Server of the Application Using TREX (see Generating a Keystore Using SAPGENPSE).

Procedure

You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.

  1. Generate a request for a client certificate from your CA by entering the following:

    sapgenpse gen_pse -onlyreq -p SAPSSLS.pse

    Overview of Commands for SAPGENPSE

    Command

    Function

    sapgenpse

    Starts the SAPGENPSE cryptography tool.

    gen_pse

    Function of SAPGENPSE that you can use to generate a new keystore and a certificate request.

    onlyreq

    Generates a certificate request for an existing keystore.

    -p SAPSSLS.pse

    You specify the file name of the keystore that contains the client certificate here. We recommend entering the name SAPSSLS.pse for the keystore.

  2. When you have requested certificates using the keystore, you have to initialize the keystore for use. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running. You do both things by entering the following command:

    sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>

    Example

    sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712

    You determine the IIS user using the MS administration tool Internet Information Services.

    Command

    Function

    seclogin

    Function of SAPGENPSE that you use to initialize a new keystore for use.

    -p SAPSSLS.pse

    Specify the path and file name of the keystore that you want to initialize.

    -O trex_IISUSer

    You use this command to give the user on which the IIS is running access to the keystore.

    Note

    You can extend a certificate that has expired by using SAPGENPSE to send it to your CA for extending. For more information, see Usage of Keystores: Using SAPGENPSE to Extend Expired Certificates.

Result

You have generated the certificate request and can now send it to your CA. The administrator of the CA checks the request and then issues the actual certificate. You collect the client certificate together with the root certificate of the CA. You can now import and store the requested client and root certificates from your CA in the keystore SAPSSLS.pse.