SAP Certificate Lifecycle Management: From manual STRUST administration to automation

In modern IT landscapes, secure communication between systems and users is almost unimaginable without digital certificates. They ensure the authenticity, integrity, and confidentiality of data. Certificates play a central role, particularly in SAP systems, which run as business-critical backbone applications in almost every large company. However, this is precisely where it becomes clear: manual administration is error-prone, time-consuming, and often not scalable. Instead of consistent processes, many companies still rely on manual maintenance via the STRUST transaction. What may work on a small scale quickly becomes a risk in complex SAP landscapes. Automated Certificate Lifecycle Management (CLM) can remedy this – and has long been more than just a convenience; it has become a security necessity.

The underestimated challenges of certificate management

Manually managing certificates in SAP brings with it a number of practical difficulties that companies will sooner or later face:

First, there is the enormous effort required for system-by-system maintenance. Each SAP system, each client, and sometimes even each instance must be processed separately in STRUST. In a typical landscape with dozens of systems, this adds up to a considerable administrative overhead.

Added to this is the susceptibility to errors. Creating a certificate request, importing the response from the certification authority, and maintaining the certificate chain – all these steps must be performed manually and in the correct order. In the worst case, a forgotten root certificate or an incorrectly assigned PSE can lead to the interruption of central communication channels.

Another problem is expiration monitoring. While SAP systems provide warnings about impending certificate expirations—for example, via the SSF_ALERT_CERTEXPIRE report or as an SM02 message—these notifications are not targeted enough. They often end up with all users instead of the responsible administrators, thus creating more confusion than responsiveness.

Furthermore, shortened validity periods exacerbate the problem. Certificates are now often only valid for twelve months. The time requirements for certificate renewals are further tightened by shortened validity periods. The CA/Browser Forum specifies in its " Baseline Requirements " that certificates may not be valid for longer than one year without re-auditing.

This means that the renewal process must be carried out not only regularly, but at increasingly shorter intervals. For large landscapes, this means an almost permanent renewal cycle.

A striking example of the consequences of poor certificate management was the SpaceX Starlink outage in April 2023 , in which an expired ground station certificate caused hours of disruption for users worldwide.

Finally, there is a technical gap between SAP's internal and external certificate sources. While certificates are managed in STRUST via PSE files, certificates must also be maintained at the operating system or middleware level, for example, in SAP Web Dispatcher or SAP Cloud Connector. This fragmentation makes the overall picture confusing and error-prone.

In summary: Manual certificate management in SAP is time-consuming, error-prone, and difficult to manage for growing landscapes.

STRUST and PSE – technical core, but not a future model

To understand why certificate management is so critical in SAP, it is worth taking a look at the technical basics.

All certificates and key materials are stored in so-called Personal Security Environments (PSEs). These files contain the private key, the associated certificate, and the complete chain of trust up to the root CA. Different deployment scenarios require different PSEs: for example, the SSL Server Standard PSE for inbound HTTPS connections, SSL Client PSEs for outbound connections to third-party systems, or the System PSE for internal authentication within the SAP landscape.

These PSEs are managed via the STRUST transaction. It allows administrators to create certificate requests, import certificate responses, establish trust chains, and replace key material. The Replacement Wizard (described in SAP Note 2414090) even supports importing new key pairs without disrupting existing configurations. This is particularly important when additional Subject Alternative Names (SANs) need to be stored, for example, when adding additional application servers.

STRUST is a powerful tool, but it's designed entirely for manual operation. This is precisely where many companies reach their limits.

Automated Lifecycle Management - the consistent further development

The automation of certificate management is no longer just a means of simplifying work; it is becoming a strategic necessity. While the discussion previously focused on efficiency gains, today the issue of resilience and future viability is taking center stage. Analysts like Gartner predict that by 2025, over 95% of new digital workloads will run on cloud-native platforms . This dramatically increases the importance of public key infrastructure (PKI), because without robust certificate management, cloud scenarios simply cannot be operated securely.

Integration of zero-trust principles

The implementation of zero-trust architectures is fundamentally transforming the requirements for SAP certificate management. Gartner predicts that by 2025, 70% of organizations will replace traditional VPNs with Zero Trust Network Access (ZTNA), relying heavily on PKI for secure authentication.

Zero-trust models require continuous verification of all system access, which exponentially increases the importance of dynamic certificate management. In SAP contexts, this means that not only user authentication but also machine identities between SAP components, external systems, and cloud services must be continuously validated.

From reactive to proactive - AI in certificate management

Modern approaches go far beyond simple automation. Artificial intelligence (AI) and machine learning (ML) are increasingly coming into play. According to ISACA's 2025 Identity Management Trends, AI will play a crucial role in the coming years:

• It can predict certificate expirations before they become critical.

• It detects anomalies in the certificate inventory, such as incorrectly issued or no longer used certificates.

• It enables proactive responses so that failures do not occur in the first place.

Especially in complex SAP environments where hundreds of certificates are used in parallel, this represents a paradigm shift: from reactive firefighting to a proactive security strategy.

Regulatory requirements - NIS2 and DORA in focus

In addition to the technical dimension, regulatory requirements are also coming to the fore. With the NIS2 Directive, the EU obligates companies to secure data with strong encryption and current cryptographic standards. Certificates form the cornerstone here, as they enable end-to-end encryption in transit.

The Digital Operational Resilience Act (DORA), which has been binding for financial institutions since January 2025, has had an even more concrete impact. It tightens cybersecurity requirements and requires IT services to remain resilient to outages and attacks. Since SAP systems often form the backbone of banks and insurers, expectations for reliable certificate management are rising. Faulty or expired certificates are not only an operational risk, but also a compliance violation with potentially severe penalties.

Best practices for integration with STRUST

Despite automation, a deep understanding of SAP's internal processes remains crucial. An automated system must replicate STRUST's functionality one-to-one:

• Creating a certificate request using the “Create certificate request” button.

• Forwarding this request to a certification authority.

• Import the response back into the system to renew the PSE.

This basic functionality, as described in current SAP Community Best Practices , must be seamlessly replicated in automated systems.

In addition, different PSE types must be correctly considered. While SSL server PSEs are responsible for inbound connections, client PSEs secure outbound connections – both follow different workflows that automation must understand and implement.

An often underestimated aspect is backup and recovery strategies for PSE files. Without proper backup and documented recovery processes, a faulty certificate update can jeopardize business continuity. Automated systems should therefore also cover this dimension to make SAP landscapes not only efficient but also resilient.

Monitoring and proactive management

Effective certificate lifecycle management requires continuous monitoring and proactive intervention. The system automatically sends an alert when certificates are less than 30 days from expiration. SAP Basis administrators receive advance notifications to take appropriate action for certificate renewal. As described in SAP Note 588297 "Warnings about security certificates in the system logs," SAP provides various mechanisms for warnings about security certificates in system logs. This reactive approach must be replaced by proactive systems that predict expiration times well in advance.

Real-time dashboards and alerting systems enable SAP Basis teams to keep an eye on the status of their entire certificate landscape. Visualizing complex dependencies between different certificates and systems helps prioritize maintenance activities.

The solution: Intelligent automation with the SmartSecOps Platform

The automatics SmartSecOps Platform addresses these complex challenges through a holistic approach that combines all aspects of SAP Certificate Management into one integrated system.

LifecycleHub automates critical lifecycle processes such as SAP certificate management, including proactive certificate renewal and distribution and activation in STRUST. This fully automated implementation eliminates human error and ensures consistent security standards.

The TransparencyHub creates the necessary visibility into complex SAP environments through central collection, analysis, and visualization of all certificates used in SAP and other security-relevant SAP system data.

The combination of these specialized hubs offers a comprehensive solution for modern SAP Certificate Management challenges. Through intelligent automation of complex certificate processes, proactive monitoring, and seamless STRUST integration, the SmartSecOps Platform enables the transition from reactive to proactive SAP operations. In a time where a single missed certificate renewal can bring business-critical processes to a standstill, intelligent automation is strategically essential for sustainable business success.