Show TOC Start of Content Area

Procedure documentation Creating or Replacing a PSE  Locate the document in its SAP Library structure


Use the procedure below to create or replace a PSE. For example, you may have to replace a PSE when the public-key certificate contained in the PSE is about to expire.


We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERT_EXPIRE that you can use manually or plan as a background job. For more information, see SAP Note 572035.


You know the syntax for the server's Distinguished Name (DN). For more information, see the tables below.

Distinguished Name Parts

DN Part




Common Name



Organizational Unit (optional)

Department name



Company name




Germany: DE


Requirements for the Server's Distinguished Name per PSE Type



System PSE

Default Distinguished Name: CN=<SID>

If no system PSE exists when the application server is started, then the system automatically creates the public-key certificate for the system PSE using the Distinguished Name CN=<SID>. If you replace this PSE, you can freely choose the new Distinguished Name.


The Distinguished Name must correspond to snc/identity/as

The Distinguished Name used for the SNC PSE's public-key certificate must match the Distinguished Name part of the server's SNC name (without the p:), which is specified in the application server's profile parameter snc/identity/as.

SSL Server PSE

CN part of Distinguished Name: CN=<fully_qualified_host_name>

The Common Name (CN) part of the Distinguished Name for the SSL server PSE's public-key certificate must correspond to the fully qualified host name that users will use to access the application server, for example,

Anonymous SSL Client PSE

Distinguished Name: CN=anonymous

The system automatically uses the Distinguished Name CN=anonymous for the anonymous SSL client PSE's public-key certificate. You cannot change this name. In addition, the application server cannot use this identity to authenticate itself.

Standard and Individual SSL Client PSEs

Distinguished Name: No special requirements

You can freely choose the Distinguished Name for the public-key certificates stored in the standard and the individual SSL client PSEs.


When Using the SAP CA

Also, if you use the SAP CA as the issuing CA for any of the above PSEs, then the rest of the Distinguished Name (not the CN part) must be:

OU=I<customer_number>-<company_name>, OU=SAP Web Application Server, O=SAP Trust Community, C=DE

For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company name.


From the Trust Manager screen:


       1.      Select the desired PSE node.

       2.      Using the context menu, choose Create (if no PSE exists) or Replace.

The <Create/Replace> PSE dialog appears.

       3.      Enter the components of the system's Distinguished Name in the corresponding fields. If you use a reference to a CA name space, the system automatically includes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below.

       4.      Choose Enter.


If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use the system-wide name. For more information, see Creating the SSL Server PSE.

Distinguished Name Parts


DN Part






For example, <SID>.

Org. (opt.)



For example, the department name. Input is optional. Default=<installation_number>.






If you use a reference to a CA name space, the system uses the input for this field as an additional OU part. Otherwise, it uses this entry for the O part.

The default entry is the OU part when using the SAP CA: SAP Web Application Server.


Use the toggle function (This graphic is explained in the accompanying text) to activate or deactivate the reference to a CA name space.




Input is only available if you do not use a reference to a CA name space.


Not applicable


Input is available if you use a reference to a CA.

Enter the CA's name space. The default entry is the name space for the SAP CA (O=SAP Trust Community, C=DE).

The server or system's Distinguished Name is then generated using this extension. See the examples below.


Example 1: Reference to the SAP CA Name Space

The following example uses the input provided and a reference to the SAP CA name space:

        Name = MY1

        Org. (opt.): = I0120007965 (default)

        Company = SAP Web Application Server (default)

        CA Reference = O=SAP Trust Community, C=DE  (default)

The trust manager then generates a public-key certificate with the Distinguished Name CN=MY1, OU=I0120007965, OU=SAP Web Application Server, O=SAP Trust Community, C=DE.

Example 2: No reference to a CA Name Space

The following example does not use a reference to a CA name space.


        Name = MY1

        Company = MyCompany

        Country = US

The Distinguished Name is then CN=MY1, O=MyCompany, C=US.


The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and should be distributed, then the system automatically distributes the PSE to the individual application servers.


End of Content Area