The Limits of the Standard as an Opportunity With SAP Certificates

The following worst-case scenario is entirely realistic: One or more digital certificates for internal and external communication of SAP systems or components thereof have not been renewed. What happens? The use of SAP Financials, SAP Human Resource Management, or other SAP applications, for example, is at risk after the expiration date of the necessary certificates.

If no security measures have been taken, SAP will no longer support business processes. That would certainly be a worst-case scenario. SAP has provided good core support for handling and managing digital certificates for years. This includes the generation of certification requests (generation of so-called CSR codes, Certificate Signing Request) or the import of certificates using Abap/Strust or Cloud Connector or other programming methods.

Nevertheless, expired certificates must be identified both in overview and in detail and generated manually, so to speak. In companies, this task is usually performed by SAP Basis or infrastructure experts, sometimes in conjunction with security specialists or compliance teams. In some cases, external service providers also take on the task of certificate management.

One challenge here is that in practice, it is usually not just one certificate, but many. In some cases, several hundred. And what weighs heavily is the fact that certificate renewals have to take place at ever shorter intervals. With the corresponding effort and use of resources.

In addition, while the maximum validity period from September 1, 2020, was still 398 days, the validity of a digital certificate will only be 47 days from March 15, 2029. This means that certificate renewals will be required more and more frequently.

Incidentally, these validities are determined by so-called Certificate Authorities (CA), a cooperation between web browser manufacturers and certification authorities. As an organization, they adopt common guidelines for the so-called X.509 public key infrastructure.

Advantages of automation

The goal of automation software is to automate recurring or manual tasks or work. The motto is: „Automate what can be automated.“ This also applies to the field of certificate management. The market for automated certificate management solutions is fairly straightforward. Nevertheless, such specialized solutions have developed dynamically over time, not least because there is high demand for this type of must-do task.

The background is both simple and straightforward. Teams in companies responsible for certificate management have to deal with many aspects of SAP system operation. Furthermore, resources are scarce. And this is despite an increasing number of tasks. From a labor market perspective, IT continues to be a bottleneck area.

Smart automation software saves time and money. At the same time, tasks/activities are performed with consistently high quality. In other words, security and productivity increase across the various SAP Basis task areas. Whether it's creating an SAP system copy, performing updates, starting and stopping SAP systems, managing SAP SEC notes, or even certificate management.

Certificate Management Software

How should certificate management software based on best practice processes be structured in broad terms? What should it do or offer?

Of course, it is important that it should be geared towards specific SAP requirements and special features from the outset. First and foremost, this means that all certificates that are related to or relevant for SAP are presented clearly, comprehensively, and seamlessly on the basis of reporting data using a simple, easy-to-use user interface (UI). But that's not all.

It should also be possible to generate certificate jobs from reporting; in addition, which jobs are performed and when. Keyword: scheduling. At the same time, it is of course essential that both the date of renewed certificates and certificates that are due for renewal are displayed. For example, marked with a green check mark or a red X behind this or that certificate.

Certificate management as an app

A certificate management app should also automatically process various steps or phases based on best practice processes. This includes the automatic generation of certificate signing requests (CSRs), as well as the verification and import of certificates, and the automatic chaining of primary, intermediate, and root certificates.

On top of that: automated deletion of expired certificates, including intelligent PSE backup and dynamic PSE determination. Despite automation, however, there should be mechanisms in place to flexibly intervene manually in the processes or to correct processes/procedures if necessary.
In terms of design, a certificate management solution as an app should take two phases into account: a check run and a live run.

This is implemented, for example, in the Certificate Management App of the SAP automation suite Epos from Empirius. As already mentioned, the data for all certificates is provided by the Epos Reporting App/Collector All-in App. The check run focuses on the following processes: selection of certificates, comparison with the system list, creation of certificate signing requests (CSRs), and checking of certificates. This is followed by the real run with backup of the Personal Security Environment (PSE); import of the certificates using Strust/sapgenpse and, if necessary, deletion of certificates that are no longer required.

In addition, functions such as dynamic determination of PSEs, creation of certificate jobs from reporting, job results „in app,“ Cert/CSR checks, and logic checks in the UI are also taken into account. Support is provided for SAP Hana, Web Dispatcher, or Host Agent certificates, as well as PSEs that do not appear in the Stust transaction, password-protected PSEs, or Java. Incidentally, there are Epos users who exclusively use the Certificate Management App. The majority use several apps from the SAP Automation Suite.

SAP automation suite Epos

Empirius is continuously developing both the SAP automation suite Epos and the individual apps. The new features in the current version 25.6 focus on improvements in clarity, consistency, and convenience in automation.

Two additional apps are also new in the current version 25.6: SAP Transports, for example, for easy integration/setup of new printers in SAP, and the Java Update App to support automated Java updates. The SAP automation suite now comprises a total of over 20 apps for SAP Basis automation, which can be used as a „central point of management“ system for SAP Basis and SAP infrastructure teams.