How to install Intranet SSL Certificate on SAP Server ?

Downloading and Installing the SAPGENPSE Cryptography Tool

Download the SAPGENPSE Cryptography tool that is part of the SAP Cryptographic Library in the SAP Service Marketplace and install it.

On the Data Integration Service machine, download the latest available patch for the SAPGENPSE tool based on the operating system.

At the command prompt, navigate to the directory that contains the SAPCAR.EXE file and the SAPCRYPTOLIB_*.SAR file.

Extract the SAR file. For example, enter the following command at the command prompt:

sapcar.exe -xvf SAPCRYPTOLIB_39-10010895.SAR

The SAPGENPSE files are extracted to the nt-x86_64 directory within the current directory.

Then rename following 2 files:

"SecureNT Intranet Root CA.cer" --> SecureNT_Intranet_Root_CA.cer
"SecureNT Intranet Intermediate CA.cer" --> SecureNT_Intranet_Intermediate_CA.cer

Following commands will install the Intranet SSL on the SAP server.

sapgenpse import_12 -p /usr/sap/ssl/SAPSSLS.pse -r SecureNT_Intranet_Root_CA.cer -r SecureNT_Intranet_Intermediate_CA.cer /usr/sap/ssl/server.pfx

setenv SECUDIR /usr/sap/WS4/W00/sec/

sapgenpse seclogin -p SAPSSLS.pse

Breakdown:

-p SAPSSLS.pse: Specifies the name of the PSE file, in this case, SAPSSLS.pse.

-r RootCA.cer: This imports the Root Certificate Authority (CA) certificate into the PSE.

-r IntermediateCA.cer: This imports the Intermediate CA certificate, which can act as a bridge between the Root CA and the end entity certificate.

server.pfx: This file contains the actual SSL certificate in PFX format, which is a combination of a private key and the issued certificate.

Key Point: The -r option is used multiple times to specify certificates that are being imported into the SAP Personal Security Environment (PSE). In this case, the Root CA and Intermediate CA certificates.

How to install SecureNT CA certificates on SAP Basis ABAP

1. Execute the tcode: Strust. You will see "Trust Manager: Display"
2. Click on "Change" mode located on top left corner. You will see "Trust Manager: Change"
3. Goto the certificate section and double click on it.
4. Select "SSL Client SSL Client (Standard)". Press Right Click and select "Create".
5. Click on "Import Certificate" (It's located on bottom left. First icon)
6. In the Import Certificate dialog box specify the associated file name from the file system. The CA certificates are "SecureNT Intranet Root CA.cer" and "SecureNT Intranet Intermediate CA.cer"
7. Select the CA certificates one by one. And click on Open button.
8. You should see the certificate displayed in the certificate section. Click on "Add to Certificate List" and Save the CA certificate. Repeat it for the second CA certificate.
9. The CA certificates will get added to the certificate list in the PSE maintenance section.
10. Click "Save" button located on top (floppy disk).
11. Restart the server "stopsap"