Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Due to popular demand, this blog post shows the steps required to install a custom, CA-signed SSL certificate in the SAPSSLS.pse PSE store.

(And you may need it with any XS classic HTTPS application with InA protocol.)

Good to know:


  • This is not a tutorial on SAP HANA installation or administration. For official guidance and documentation please goto official SAP HANA PLATFORM pages.

  • Images/data in this blog post is from SAP internal sandbox, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Putting it all together

Typically when installing SAP HANA 2.x or deploying a pre-installed version of SAP HANA database, the SSL certificates in different PSE stores are self-signed.

And eventually, thanks to the built-in SAP HANA XS webdispatcher, both HTTP (port 80xx) and HTTPS (port 43xx) communications are possible.

SAP HANA workbench editor.

This is to make sure the INA package is present and is activated.

Configure SAPSSLS.pse PSE store certificate.

SAP HANA webdispatcher.

Goto SAP HANA XS webdispatcher admin cockpit:

Initially the SAPSSLS.pse PSE store will show the default and most likely self-signed SSL certificate as depicted below

In order to allow for signed SSL HTTP connections with SAP HANA, we will need to replace that certificate with a new one signed by a CA of your choice.



  1. Recreate PSE

  2. Replace the Distinguished Name (DN) with the DN of the new certificate

  3. Create CA Request (CSR)

  4. Import CA Response


Certificate Signing Request (redacted)


You will need to have access to a CA (Certificate Authority) and sign the CSR.

The screenshot below is only for illustration purposes.

Please note that we shall need to import the certificate chain.
Sign the CSR with your global CA (Certificate Authority) 
for instance:

The redacted certificate chain is shown below:
-----BEGIN PKCS7-----
-----END PKCS7-----



Step 4. Import CA Response

Click on Import CA Response button above and copy and paste the content of the PKCS7 certificate and click on the Import button to validate the import.


As a result the new and signed certificate has been imported into our PSE store.

From now on we can access HANA via HTTPS over port 43xx as depicted below:




Additional resources

What's New in the SAP HANA Platform 2.x

SAP HANA Administration Guide for SAP HANA Platform | PDF

SAP HANA Platform

SAP HANA trial

Get a Single Gateway to Your Enterprise Data with SAP HANA Cloud

OAuth2 Authentication using HANA XS – Basics (1) | SAP Blogs

OAuth2 Authentication using HANA XS – XS OAuth client lib calling Google’s API (2) | SAP Blogs