CAs around the world only sign certificate requests with key length equal (or higher than) 2048 bits. If you have a PSE with key length equal to 1024 bits, then you cannot create such certificate request (with 2048 bits).
The solution is replacing the SSL PSE and then adjusts the Key Length property.
Scenario with Key Length = 1024 bits
The PSE has the key length = 1024 bits (for a system with kernel 7.20 or higher you can have this information via STRUST):
Image may be NSFW.
Clik here to view.
You can also obtain the key length information using sapgenpse, with the command: sapgenpse get_my_name -p SAPSSLS.pse:
Image may be NSFW.
Clik here to view.
Replacing the PSE
Via STRUST, you can use the context menu and select the option "Replace":
Image may be NSFW.
Clik here to view.
You need to confirm the PSE replacement:
Image may be NSFW.
Clik here to view.
Select the new Key Length (i.e. 2048):
Image may be NSFW.
Clik here to view.
Now inform the instance specific CN, according to the application servers you have (in the example below, only one application server exists):
Image may be NSFW.
Clik here to view.
Now it is possible to create the certificate request, submit to any CA, and then import the certificate response.
Scenario with Key Length = 2048 bits
As the result of the PSE replacement, it is possible to check the new key length:
Image may be NSFW.
Clik here to view.
More information
SAP note 1178155 provides the steps to replace the PSE in productive environments.
SAP note 1856192 shows how to have a PSE with key length > 2048 bits.
You may also read the following blogs:
