New SAP Root CA — Change SAPRouter certficate

Since 2015–04–15 SAP has a new Root CA in place. If you don’t want your support connection to be broken when you need it, update your SAPRouter certificates as soon as possible! Here are the milestone dates:

  • 2015–04–15: New certificates will be published from the new CA.
  • 2015–07–18: After this date all old certificates will not work anymore because SAP will disable the old CA.

SAP recommends using the latest SAPRouter and Common Cryptolib files for updating your certificates.

You can find all of the needed software components as usual in the SAP Download Center.

For SAPRouter select the following: S -> SAPRouter -> 7.42 -> Your OS -> download SAR file.

For Common Cryptolib use this path: S -> SAPCryptolib -> Commoncryptolib 8 -> Your OS -> Download the latest SAR file.

If you have an old version of SAPCAR on your SAPRouter, you have to go to: S -> SAPCAR -> SAPCAR 7.21 -> Your OS -> Download the latest SAR file and rename it to SAPCAR.

We are assuming that you are updating an existing SAPRouter. Backup your existing installation! The Location is usually \usr\sap\saprouter. Afterwards stop the service, otherwise you won’t be able to exchange the open files!

Copy the downloaded files in your SAPRouter directory and extract them: SAPCAR -xvf "*.SAR". The next steps will only be successful if you have set the following Environment variables:

UnixSECUDIR = SNC_LIB = /
Windows NT, 2000, XP or higherSECUDIR = SNC_LIB = :\sapcrypto.dll

If the DN of your SAPRouter is unknown, you can check it here.

Now you can create the certificate request:

sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "CN=BEISPIEL, OU=0000123456, OU=SAProuter, O=SAP, C=DE". In the process sapgenpse asks you for a new PSE pin, make sure to document it and use a strong password!

Afterwards you can open the request file with your favorite editor and request your certificate. Use the correct router if you have more than one! In the lower area you can paste the content of the generated request file.

In the next window you will find the completed request. Copy and paste it into a new file called “cert_answer” in your SAPRouter Directory.

In the next step you can import the certificate into the PSE:

sapgenpse import_own_cert -c cert_answer -p local.pse

In order to manage the PSE without having to enter the PIN every time, you can create a password file:

sapgenpse seclogin -p local.pse -O

Afterwards we check the content of the PSE:

sapgenpse get_my_name -v -n Issuer

After 2015–04–15 it has to look like that:

CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

Before SAP disables the old root CA, you have to import the old root certificate into your PSE. You can find that in SAP Note 2131531.

Place the DER file into your SAPRouter directory and import it into your PSE:

sapgenpse maintain_pk -a smprootca.der -p local.pse

You can check the import afterwards with sapgenpse maintain_pk -l -p local.pse.

HINT: sapgenpse maintain_pk shows the validity date of the certificates and the root CA’s.

Still having trouble? We’re glad to help! 

Stefan Thomann

Stefan Thomann is ALM enthusiast and agile Methodology and Focused Build Tool Coach. His special topics are the requirements-to-deploy process (Focused Build, process management, test management) and reporting (e.g. with Focused Insights) between process and technology. Stefan is also the founder of blueworks and managing director of blueworks AG and studied Business Informatics.
blueworks Logo

Certified
Business Transformation
Professionals.

© blueworksgroup 2024. All rights reserved.

blue.works® and alm360® are registered trademarks in the European Union and Switzerland.
SAP is a registered trademark of SAP SE.