This guide shows you how to generate a CSR (Certificate Signing Request) on an SAP NetWeaver Application Server (ABAP). On SAP you do not create the request from a config file or with a one-off OpenSSL command. Instead you work from a PSE (Personal Security Environment): in Trust Manager (transaction STRUST) you select or create the SSL server PSE, set the subject details, and use Create Certificate Request to produce the CSR. You can also generate the request at the operating-system level with sapgenpse (part of SAP CommonCryptoLib) when you need explicit control over Subject Alternative Names.
Before you generate the CSR code
In SAP, the CSR is generated from a PSE (Personal Security Environment), the container that also holds the matching private key. On ABAP systems you do this in Trust Manager (transaction STRUST). You can also generate a CSR at the OS level with sapgenpse from SAP CommonCryptoLib. Either way, the private key is created with the request and stays inside the PSE on the server: it is never part of the CSR you send out.
Decide first how many requests you need. If you use instance-specific SSL server PSEs, generate a separate CSR for each application server. If you use a single system-wide SSL server PSE (for example, SSL server Standard), one CSR covers the system.
You will need the following details ready before you start, since they go into the subject (Distinguished Name) of the request:
- Common Name (CN): the exact hostname (FQDN) you are securing, for example shop.example.com, or a wildcard such as *.example.com.
- Organization (O): your legal company name.
- Locality (L), State or Province (S / SP), and Country (C): your city, your region spelled out in full, and the two-letter country code.
- Key size: use RSA 2048-bit or larger. Public Certificate Authorities reject keys smaller than 2048 bits.
If you would rather generate the request and its private key off the server, our CSR Generator creates both in your browser. Use whichever method fits your workflow, then submit the resulting CSR during your SSL order.
ABAP method: STRUST (Trust Manager)
This is the standard way to generate a CSR on SAP NetWeaver AS ABAP. Run the following steps in SAP GUI, in change mode if the PSE tree is read-only.
Step 1: Open Trust Manager
In SAP GUI, run transaction STRUST to open Trust Manager.
Step 2: Select or create the SSL server PSE
In the left-hand tree, select SSL server PSE. Choose the PSE you actually serve from: the system-wide SSL server Standard, or an instance-specific server PSE. Double-click it to open it.
If no PSE exists yet, or you are replacing the current one, right-click the node and choose Create (or Replace). This opens the Create/Replace PSE dialog, where you enter the subject (DN) fields described below.
Step 3: Enter the subject (DN) fields
Fill in your organization details. These become the Distinguished Name of the certificate:
- CN (Common Name): the exact hostname (FQDN) you are securing, or a wildcard like *.yourdomain.com.
- O (Organization): your legal company name, for example Your Company LLC.
- OU (Organizational Unit): this field is deprecated by the CA/Browser Forum, so leave it blank or enter NA.
- L (Locality / City): for example Atlanta.
- S / SP (State / Province): spelled out in full, for example Georgia.
- C (Country): the two-letter country code, for example US.
Set the key length to 2048 bits or more and confirm. SAP creates the PSE and its private key.
Step 4: Create the certificate request
With the SSL server PSE selected, choose Create Certificate Request. SAP generates the CSR as a Base64 (PKCS#10) block. In the dialog, copy the full request text, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, or save it to a file. This is what you submit to your Certificate Authority.
A note on SANs (Subject Alternative Names): modern clients validate the hostname against the SAN extension, not the Common Name. Some STRUST versions do not expose a SAN field. Newer stacks provide a Replacement Wizard (it requires SAP Note 2414090) that guides you through it. If your screen offers no way to add SANs, use the command-line method below, which lets you set them explicitly.
Command-line method: sapgenpse (explicit SANs)
Use this method when you must guarantee SANs in the CSR or when your UI does not provide a SAN field. It requires SAP CommonCryptoLib with SAN support (documented for version 8.4.42 and later). Set the environment for your platform first, including SECUDIR so the tool can find the PSE directory.
The example below creates or refreshes the PSE and writes a CSR that carries two SAN entries. Run it from the directory that holds sapgenpse, and replace the hostnames and DN with your own values:
sapgenpse get_pse -p SAPSSLS.pse -x \
-a sha256WithRsaEncryption -s 2048 \
-k GN-dNSName:example.com -k GN-dNSName:www.example.com \
"CN=example.com, OU=NA, O=Your Company LLC, L=Atlanta, SP=Georgia, C=US" \
-r server.csr
What the options do:
- -p SAPSSLS.pse names the PSE file, and -x prompts for its PIN.
- -a sha256WithRsaEncryption sets the signature algorithm to SHA-256, and -s 2048 sets the key size to 2048 bits.
- Each -k GN-dNSName: entry adds one DNS name to the SAN extension. Repeat it for every hostname the certificate must cover.
- -r server.csr writes the request to a file you can open and copy.
Some SAP interfaces, for example Web Dispatcher PSE Management, also lack a SAN field. In those cases SAP’s own guidance is to generate the CSR outside the UI with this command-line approach.
Verify and submit the CSR
Before you submit, it is worth confirming the request contains the values you expect. You can review the request in STRUST, paste it into our online CSR decoder, or decode it on any machine that has OpenSSL installed:
openssl req -noout -text -in server.csr
Check that the Common Name, organization details, key size, and any SAN entries are correct. When everything looks right, copy the CSR contents into the corresponding box during your SSL order. After your Certificate Authority validates the request and issues the certificate, continue with the SAP SSL installation instructions to import the response back into the PSE and restart the ICM.
Frequently Asked Questions
On SAP NetWeaver AS ABAP, run transaction STRUST to open Trust Manager. Select the SSL server PSE, then choose Create Certificate Request. SAP produces the CSR as a Base64 block you copy and send to your Certificate Authority. As an alternative, you can generate the request at the operating-system level with sapgenpse.
A PSE (Personal Security Environment) is the secure container SAP uses to store a key pair and the related certificates. The SSL server PSE holds the private key and the server certificate that the application server presents over HTTPS. When you create a certificate request, the private key is generated inside the PSE and stays there: it is never included in the CSR you send to the CA.
Some STRUST screens do not include a SAN field. Newer stacks add a Replacement Wizard (it requires SAP Note 2414090) that handles SANs. If your interface offers no SAN option, generate the request with the sapgenpse command-line method instead and add one -k GN-dNSName: entry per hostname. SAN support requires SAP CommonCryptoLib 8.4.42 or later.
It depends on how your PSEs are set up. If you use a single system-wide SSL server PSE such as SSL server Standard, one CSR covers the system. If each instance has its own SSL server PSE, generate a separate CSR for each application server.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


