How to Generate a CSR on the SAP Server?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
Create CSR on SAP Server

To secure SAP systems with an SSL/TLS certificate, you must have a Certificate Signing Request (CSR). In SAP environments, CSRs are created using a Personal Security Environment (PSE).

There are two ways to generate a CSR in SAP Systems – via the SAP GUI using Trust Manager (STRUST) or via Command Line Interface (CLI) using the sapgenpse utility from the SAP CommonCryptoLib.

This document describes both procedures in a simple-to-follow layout for the administrator.

Prerequisites

You must have the following items ready before starting to create a CSR:

  • You must have an already operational SAP System (ABAP Stack)
  • You must have the SAP GUI installed (If generating CSR via STRUST)
  • You need to have SAP CommonCryptoLib installed (If generating CSR via Command Line Interface)
  • You must have administrative access to SAP and the Security Directory at the OS level
  • You require an FQDN (Fully Qualified Domain Name) of your SAP System (SAP Server)
  • You must have permissions to create/recreate the PSE
  • The administrator and Command Line Interface operator need to have a basic understanding of how to use SAP.

CSR Creation Steps on SAP

Method 1: ABAP Method — STRUST (Trust Manager)

  • Open the Trust Manager by running transaction STRUST in SAP GUI.
  • In the left navigation tree, select SSL Server PSE.
  • Choose the PSE you actually use:
    • SSL server Standard (system-wide)
    • Or an instance-specific server PSE
  • If no PSE exists or you need to replace it:
    • Right-click the PSE
    • Select Create or Replace
  • In the Create/Replace PSE screen, enter your Subject (Distinguished Name) details:
    • C (Country): Two-letter country code (e.g., US)
    • S / SP (State/Province): Full state or province name (e.g., Georgia)
    • L (Locality/City): City name (e.g., Atlanta)
    • O (Organization): Legal company name (e.g., Your Company LLC)
    • OU (Organizational Unit): Deprecated; leave blank or enter NA
    • CN (Common Name): Exact hostname (FQDN) or wildcard (e.g., *.yourdomain.com)

  • With the PSE selected, choose Create Certificate Request.

  • Copy the CSR text displayed or save it to a file.

  • Use this CSR when submitting your SSL certificate order to a Certificate Authority (CA).

Note on SANs (Subject Alternative Names):

Modern clients that use SANs to validate hostnames instead of just relying on the Common Name. Some versions of SAP will not present the SAN field for setting up certificates within STRUST; however, newer stacks provide a Replacement Wizard (see Note 2414090) with a SAN option.

If you are unable to create certificates using the Replacement Wizard due to your interface, you can follow the command-line procedures outlined below.

Method 2: Command-Line Method — sapgenpse (Explicit SANs)

Use this method when you must guarantee SANs in the CSR or when your SAP UI does not provide a SAN field.

Requirements:

  • SAP CommonCryptoLib version 8.4.42 or later

  • Environment variables (such as SECUDIR) configured for your platform

Example: Create or Refresh a PSE and Generate a CSR with SANs

sapgenpse get_pse -p SAPSSLS.pse -x \
-a sha256WithRsaEncryption -s 2048 \
-k GN-dNSName:example.com -k GN-dNSName:www.yourdomain.com \
"CN=example.com, OU=NA, O=Your Company LLC, L=Atlanta, SP=Georgia, C=US" \
-r server.csr

Key points:

  • -p SAPSSLS.pse specifies the PSE file

  • -s 2048 sets a secure RSA key size

  • -k GN-dNSName: entries define SAN values

  • The quoted string defines the Subject DN

  • -r server.csr outputs the CSR file

After running the command:

  • Open server.csr in a text editor

    Copy everything between:

     —–BEGIN CERTIFICATE REQUEST—–
    —–END CERTIFICATE REQUEST—–

    • Paste the CSR into your SSL certificate order or validation form

      Conclusion

      Creating a CSR (Certificate Signing Request) using SAP is one of the first steps in securing your SAP environment with SSL or TLS encryption.

      Generating a CSR via the SAP GUI (STRUST) for a single or multiple PSEs, as well as creating one with the sapgenpse tool, is important because it allows a trusted Certificate Authority to validate your server’s identity, once your certificate has been issued and imported into the correct PSE.

      Next Step: How to Install an SSL on SAP Application Server?

      After your CSR has been successfully generated and your certificate imported into the appropriate PSE, enabling HTTPS will allow you to protect the integrity and confidentiality of your data in transit and comply with recent security standards.

      Secure your Site Now

      Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

      Starts at Just $3.99/Yr
      Janki Mehta

      Janki Mehta

      Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.