During installation of the SMP 3.0 server, it will automatically generate a self-signed certificate that will be used for Agentry server authentication (among other things). This certificate will be based on the fully qualified domain name (FQDN) at the time of the installation. Should this change for any reason or need to reference an external name versus an internal name you will need to regenerate the certificate.
This document outlines the steps needed to regenerate the certificate using the Java keytool utility. Please note that you will need to know the Keystore password you specified during installation of the SMP 3.0 server to perform these steps. These commands assume the C:\SAP\MobilePlatform3\sapjvm_7\bin directory (default location) is in your path and that you are executing the commands from the C:\SAP\MobilePlatform3\Server\configuration directory.
Note that with the release of SP08 the keystore filename where the certificate is stored has changed. Please be sure to use the correct keystore name
Keystore - pre-SP08 = smpkeystore.jks
Keystore - SP08+ = local_smpkeystore.jks
The steps are the same, only the file where it is stored has changed in SP08.
- Remove the existing certificate
- keytool -keystore {keystore filename} -delete -alias smp_crt -storepass {keystore password}
- Create the new self-signed certificate (edit the dname information to match your organization details}
- keytool -keystore {keystore filename} -genkeypair -keyalg RSA -sigalg SHA1withRSA -validity 3650 -alias smp_crt -dname "C=US, ST=IL, L=Chicago, O=SAP, OU=Global Mobility Services, CN={New FQDN}, emailAddress={your email address}" -ext BC:ca:true -keypass {keystore password} -storepass {keystore password}
- Export the new certificate for use with your Agentry clients
- keytool -keystore {keystore filename} -export -alias smp_crt -file smp_crt.cer -rfc -storepass {keystore password} -keypass {keystore password}
- After executing these commands restart your SMP 3.0 server to pickup the new certificate
In my case, I frequently need to regenerate my certificates due to changing networks and IP addresses so I have created the attached batch file to simplify the process. I simply execute the batch file and it prompts me for the password and new FQDN and performs all the other steps opening Windows explorer to the configuration directory at the end so I can easily install, copy or email the new certificate out.
I have also updated the batch file to account to allow for easily setting the correct keystore name.
To use the batch file.
- Download and attached file (unzip if necessary)
- Rename from smp3-keygen.txt to smp3-keygen.bat
- Edit the smp3-keygen.bat file and set the following variables at the beginning of the file.
- SMP3ROOT - location of your SMP3 installation
- CERTINFO (country, state, locattion, organization, org unit)
- CERTEMAIL - your email address (included in the certificate)
- KEYSTOREFILE - the name of the keystore where the cert will be stored (See above based on the version of the SMP3 server you are running)
- Run the batch file and input your new FQDN or IP address for the certificate
- Enter the keystore password
- Import or distribute the new certificate
Enjoy!