Show TOC

Requesting CertificatesLocate this document in the navigation structure


You use the SAPGENPSE cryptography tool to create a request for a client certificate with your certification authority (CA).


You have already created the keystore SAPSSLS.pse for the configuration of secure communication (HTTPS) between theTREX preprocessor and the Web server of the application using TREX (seeGenerating a Keystore Using SAPGENPSE).


You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.

  1. Generate a request for a client certificate from your CA by entering the following:

    sapgenpse gen_pse-onlyreq -p SAPSSLS.pse

    Overview of Commands for SAPGENPSE

    Command Function


    Starts the cryptography tool SAPGENPSE.


    Function of SAPGENPSE that you can use to generate a new keystore and a certificate request.


    Generates a certificate request for an existing keystore.

    - p SAPSSLS.pse

    You specify the file name of the keystore that contains the client certificate here. We recommend entering the nameSAPSSLS.pse for the keystore.

  2. When you have requested certificates using the keystore, you have to initialize the keystore for use. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running. You do both things by entering the following command:

    sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>


    sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712

    You determine the IIS user using the MS administration tool Internet Information Services.

    Command Function


    Function of SAPGENPSE that you use to initialize a new keystore for use.

    -p SAPSSLS.pse

    Specify the path and file name of the keystore that you want to initialize.

    -O trex_IISUSer

    You use this command to give the user on which the IIS is running access to the keystore.


    You can extend a certificate that has expired by using SAPGENPSE to send it to your CA for extending. For more information about this, seeUsage of Keystores → Using SAPGENPSE to Extend Expired Certificates.


You have generated the certificate request and can now send it to your CA. The administrator of the CA checks the request and then issues the actual certificate. You collect the client certificate together with the root certificate of the CA. You can now import and store the requested client and root certificates from your CA in the keystoreSAPSSLS.pse.