Use the command get_pse to generate the server's PSE, which includes the public and private key pair and a public-key certificate.
If you are using a trusted CA, then you can also use the get_pse command to generate a certificate request. Per default, all of the items are generated, however, you can use the options -noreq or -onlyreq to explicitly include or omit the certificate request.
For easier administration, we recommend using self-signed certificates that are not signed by a trusted CA.
If you are using a single PSE for all server components and you have already create the PSE on a different server, then copy the PSE to the appropriate location instead of creating a new one.
Use the following command line to generate a PSE. Create the server's PSE in the SECUDIR directory.
sapgenpse get_pse <additional_options> [-p <PSE_name>] [-r <cert_req_file_name>] [-x <PIN>] [DN]
Where:
Standard Options
Option | Parameter | Description | Allowed Values | Default |
---|---|---|---|---|
-p |
<PSE_name> |
Path and file name for the server's PSE |
Path description (in quotation marks, if spaces exist) |
None |
-r |
<file_name> |
File name for the certificate request |
Path description (in quotation marks, if spaces exist) |
stdout |
-x |
<PIN> |
PIN that protects the PSE |
Character string |
None |
None |
DN |
Distinguished Name for the server The Distinguished Name is used to build the server's SNC name. |
Character string (in quotation marks, if spaces exist) |
None |
The Distinguished Name consists of the following elements:
For example, for the application server for system ABC where <SID> is defined as the Common Name, Test as the Organizational Unit, MyCompany as the Organization, and DE (Germany) as the country, the Distinguished Name is:
CN=ABC, OU=Test, O=MyCompany, C=DE
Additional Options
Option | Parameter | Description | Allowed Values | Default |
---|---|---|---|---|
-s |
<key_len> |
Key length |
512, 1024, 2048 |
1024 |
-a |
<algorithm> |
Algorithm used |
RSA, DSA |
RSA |
-noreq |
None |
Only generate a key pair and PSE. Do not generate a certificate request. |
Not applicable |
Not set |
-onlyreq |
None |
Generate a certificate request for the public key stored in the PSE specified by the -p parameter. |
Not applicable |
Not set |
Generating a PSE and Self-Signed Certificate for the Application Server
The following command line generates a PSE for the application server (<SID> = ABC) containing a self-signed certificate. No certificate request is needed. The PSE is to be located at D:\usr\sap\ABC\DVEBMGS28\sec\ABC.pse. The PIN that protects the PSE is abcpin. The server's Distinguished Name is CN=ABC, OU=Test, O=MyCompany, C=DE.
sapgenpse get_pse -p D:\usr\sap\ABC\ DVEBMGS28\sec\ABC.pse -noreq -x abcpin "CN=ABC, OU=Test, O=MyCompany, C=DE"
The server's PSE is created in the directory you specified.
Check the contents of the directory at the operating system level to make sure the PSE was created in the correct location before proceeding with the next step.