Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Important update (from Sept 2017):

If you are using AS ABAP, then use STRUST. It is possible to add SAN via STRUST.
If you use sapgenpse for AS ABAP, this is an error prone manual approach.

Recommended additional reading:

  • For SAP Netweaver ABAP: 2478769 - Create certificates with subject Alternative Name (SAN) within STRUST

  • For SAP Web Dispatcher: 2502649 - Creating certificates with Subject Alternative Name (SAN) through the Web Admin page

end of update.


A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.


A quick test:


sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k


Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner:, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR


      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048



        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical





    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" 😞


PKCS#10 certificate request for "SAPSAN.pse":







Importing the response:


sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse


CA-Response successfully imported into PSE "SAPSAN.pse"



Checking the content:


sapgenpse get_my_name -p SAPSAN.pse


Subject               :, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   ...

Serialno              :   ...

KeyInfo               :   RSA, 2048-bit

Validity  -  NotBefore:   ...

             NotAfter :   ...

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :



Time to open the PSE via STRUST, saving it as the SSL server PSE identity.


I created a new server identity, for testing purposes (Environment -> SSL Server Identities):


I used option File to open the PSE created:


Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:


The result: a SSL server PSE with SAN: