Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

5 Simple Steps to Migrate Let's Encrypt Certificates (certbot) to a New Server SAP — Википедия


There are already several articles on how you can create Let's encrypt cert for your SAP system. What I was able to find are either very long and complex or with CSR sign approach. Below we will create server wildcard cert in pse with short simple steps with help of the official ACME client - Lego and DNS-01 challenge.


Step 1 - Get your Let's Encrypt cert chain.

I assume that Lego client is already downloaded according to the official instructions. We will use DNS-01 challenge to confirm our DNS record (Lego Client also supports other types if you wish). More details can be found here 

Execute lego command (example below):
./lego --email="" --domains="*.dev.wooo.dem.rap" -dns="manual" run

this will generate for you DNS-01 ACME challenge and execution will pause until you update your DNS record with TEXT field. Once it is done you can hit next and after challenge is verified you will receive your cert chain, that will consists of the following objects:

  • is the server certificate (including the CA certificate)

  • is the private key needed for the server certificate

  • is the CA certificate

  • contains some JSON encoded meta information.


Step 2 - Generate pfx archive with openssl client

A .pfx file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

Execute the following command line:
openssl pkcs12 -export -out certificate_wide.pfx -inkey -in -certfile

This will create for you certificate_wide.pfx file


Step 3 - Get Let's encrypt root certificate

Before you can create your pse storage, you need also to download let's encrypt root certificate either from browser or with openssl:
openssl s_client -showcerts -verify 5 -connect < /dev/null

Step 4 - Generate SAP PSE file

Now you can create your server PSE pout of this pfx archive:
sapgenpse import_p12 -r -r letsEncryptRoot.crt -p SAPSSLS.pse certificate_wide.pfx

This will create for you SAPSSLS.pse that can be used with SAP Web Dispatcher or SAP ABAP\JAVA instances, or any other place where pse format is used 🙂

Step 5 - Apply pse for the system

As an example we will use this PSE for the ABAP system.
The only thing that is required (steps):


P.S. For the Web Dispatcher it even easier. We just need to copy this pse with correct permissions to the /usr/sap/<SID>/W<InstNumber>/sec folder and restart the Web Dispatcher.

This is one of the most simple and straight forward way to request an Let's encrypt certificate. This one will live for 90 days. So you need to renew you certs later on.

P.P.S. Lego tool available in container, and it can be integrated with quite a lot of DNS service providers, so the whole process can be automated via CI server for example.