Skip to Content
avatar image
Former Member

how to generate Server_Cert.pem and CA_Cert.pem

Hello SCN Community::

I have generated these two files in my Hana Server

  • Key: Server_Key.key
  • CSR: Server_Req.csr

The CSR needs to be sent to the CA, which in turn will give me a signed certificate (Server_Cert.pem) and their Root CA Certificate (CA_Cert.pem). But I am stuck here I do not know how to generate these two files.

From linux terminal I issued these commands::

hdbadm@hdb11:/usr/sap/HDB/HDB00>openssl x509 -inform der -in CA_Cert.cer -out CA_Cert.pem

Error opening Certificate CA_Cert.cer
139661050246800:error:02001002:system library:fopen:No such file or directory:bss_file.
139661050246800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:409:unable to load certificate

I cannot generate Server_Cert.pem or CA_Cert.pem

Please can You share any ideas as to how to generate these two files…

Thank You Very Much!!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 20, 2017 at 10:05 AM

    Hello Martino,

    I advise to use sapgenpse tool which is available in SAP crypto library for your platform.

    Here is the process of getting the certificates installed in SAP HANA server

    1. Create CSR from /usr/sap/<SAPSID>/SYS/global/security/lib directory

    ./sapgenpse get_pse -p SAPSSL.pse -x <PIN> -r SAPSSL.req "CN=<webdisp>, OU=<org_unit>, O=<company>, C=<country>"

    2. This creates 2 files SAPSSL.req in /usr/sap/SID/SYS/global/security/lib and SAPSSL.pse in /usr/sap/SID/HDB<instance_nr>/<hostname>/sec/

    3. Copy the contents of file SAPSSL.req and send it to CA for signing

    4. Paste the content of the signed certificate in SAPSSL.cer file in /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec/

    5. Along with signed certificate CA authority will send you Root & Intermediate certificates as well

    6. Change the files owners to sidadm:sapsys

    7. Import the certificate using command ./sapgenpse import_own_cert -c SAPSSL.cer -p SAPSSL.pse -x <PIN> -r <Root Cert> -r <Intermediate Cert>

    8. Create a credentials file for the PSE - ./sapgenpse seclogin -p SAPSSL.pse -x <PIN> -O <SAPSID>adm

    9. Change perms of cred_v2 file to 600

    10. Restart Webdispatcher with command sapcontrol -nr <instanceNr> -function SendSignal <pid> <signal>

    Review the webdispatcher logs after restart if SSL is ready.



    Add comment
    10|10000 characters needed characters exceeded