You use the SAPGENPSE cryptography tool to create a request for a client certificate with your certification authority (CA).
You have already created the keystore SAPSSLS.pse for the configuration of secure communication (HTTPS) between the TREX Preprocessor and the Web Server of the Application Using TREX (see Generating a Keystore Using SAPGENPSE).
You start the cryptography tool SAPGENPSE using a prompt.
Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.
Generate a request for a client certificate from your CA by entering the following:
sapgenpse gen_pse -onlyreq -p SAPSSLS.pse
Overview of Commands for SAPGENPSE
Command |
Function |
---|---|
sapgenpse |
Starts the SAPGENPSE cryptography tool. |
gen_pse |
Function of SAPGENPSE that you can use to generate a new keystore and a certificate request. |
onlyreq |
Generates a certificate request for an existing keystore. |
-p SAPSSLS.pse |
You specify the file name of the keystore that contains the client certificate here. We recommend entering the name SAPSSLS.pse for the keystore. |
When you have requested certificates using the keystore, you have to initialize the keystore for use. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running. You do both things by entering the following command:
sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>
sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712
You determine the IIS user using the MS administration tool Internet Information Services.
Command |
Function |
---|---|
seclogin |
Function of SAPGENPSE that you use to initialize a new keystore for use. |
-p SAPSSLS.pse |
Specify the path and file name of the keystore that you want to initialize. |
-O trex_IISUSer |
You use this command to give the user on which the IIS is running access to the keystore. |
You can extend a certificate that has expired by using SAPGENPSE to send it to your CA for extending. For more information, see Usage of Keystores: Using SAPGENPSE to Extend Expired Certificates.
You have generated the certificate request and can now send it to your CA. The administrator of the CA checks the request and then issues the actual certificate. You collect the client certificate together with the root certificate of the CA. You can now import and store the requested client and root certificates from your CA in the keystore SAPSSLS.pse.