SSL  Certificate replacement


SSL  Certificate replacement.

Generate the self-signed certificate and the request.

Generate the new .CSR.

.csr =  Certificate Signing request

Go to the location on sec file. And make a copy of the folder sec.

cd /usr/sap/SID/DVEBMGS/


To see the folders inside, press command “ll”

Make a copy of sec folder:

Next, go in the sec folder:


The folder NewCert move it in the NewCert_2016, we do this step to have a backup of this file, because we will do a new one with the same name.


Next make the new folder NewCert:


It is possible that you will  need to change the ownership and the mod type for the NewCert folder. (chmod, chown).

Next we switch  with SIDADM and we will go in the same location. To see the location first press “pwd”.

Copy the location (double click on it).


Next do the pwd to see the location and copy it.

To generate the the self-signed certificate and the request, you need to press the next command:

sapgenpse gen_pse –p  /”Location”/SID.pse -a sha256WithRsaEncryption -r /Location”/SID-Req.csr -s 2048


sapgenpse gen_pse –p  /data/SID_sap/sap/SID/DVEBMGS00/sec/NewCert/SID.pse -a sha256WithRsaEncryption -r /data/SID_sap/sap/SID/DVEBMGS00/sec/NewCert/SID-Req.csr -s 2048

After you have executed the command, you will need to put the PSE password, two times. But in my case I just press enter, because I do not want to put any password/pin.

Next it’s asking for the PSE owner:

Here you enter the SNC name of the system., C=RO, O=WISH, OU=ABC


Next, if you press “ll” in the NewCert location, you will see that the .pse and .csr were generated.

With WinSCP, you need to copy from the OS level, on your computer:

Put the location from the os level with copy-paste in the WinSCP.

SID-Req.csr make a zip and send the request to the responsible.

Wait the files to be sent back with the new certificate.

Step 2 ….soon.

Thank you.

Leave a comment