A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.
Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.
It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.
A quick test:
sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com
Please enter PSE PIN/Passphrase: *********
Please reenter PSE PIN/Passphrase: *********
get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR
Certificate Request:
Signed Part:
Subject :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Key:
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :2048
Attributes:
element#no="1":
Type :extensionRequest (1.2.840.113549.1.9.14)
Value 1:
Alternative names:
Significance:Non critical
Value:
element#no="1":
GeneralName :GN-dNSName:myehp7system.mydomain.com
Signature:
Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature bits ( size="2048" ):
PKCS#10 certificate request for "SAPSAN.pse":
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Importing the response:
sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse
CA-Response successfully imported into PSE "SAPSAN.pse"
Checking the content:
sapgenpse get_my_name -p SAPSAN.pse
Subject : CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR
Issuer : ...
Serialno : ...
KeyInfo : RSA, 2048-bit
Validity - NotBefore: ...
NotAfter : ...
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:myehp7system.mydomain.com
Time to open the PSE via STRUST, saving it as the SSL server PSE identity.
I created a new server identity, for testing purposes (Environment -> SSL Server Identities):
![STRUST01.jpg]()
I used option File to open the PSE created:
![STRUST02.jpg]()
Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:
![STRUST03.jpg]()
The result: a SSL server PSE with SAN:
![STRUST04.jpg]()