Did you install your NetWeaver 2004 WebAs and/or Portal in 2005? Do you use the portal's Single-Sign-On capabilities to connect to backend systems?
Then this might be useful for you...
The following blog directly connects to Michael Nicholls' blog about creating a new certificate that is used for signing the logon ticket. As you might know (or not), the certficate that is created during installation of a NetWeaver Java System expires two years after installation date (see SAP note 912229). So, a new keypair has to be created. See What's small and useful, but often doesn't last as long as you want? and the official documentation.
What we wanted to achieve at customer site is a seamless switch of the certficates within a bigger landscape with many backend systems and potentially many administrators that are responsible for the respective backends. The end users shouldn't observe any loss of SSO to their backends.
This can be achieved executing the following steps:
Create a new keypair using the key storage service of the Visual Administrator, like described in What's small and useful, but often doesn't last as long as you want? and the official documentation But: use a DN, that differs from the currently active certificate. The DN will be the key to your certicate in the backends' PSE and ACL. Give it any name different to SAPLogonTicketKeypair. Do not enter a validity date greater then year 2038 (see SAP Note 499386)
Export the new certificate in X509 format and distribute it to all your backend system administrators. Now they can import the certificate in parallel to the currently active certificate (remember: different DN).
On Day X ("old" certficate expires) remove the SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert and rename your new keypair exactly to SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert.
Restart the key storage service! Now, your new certficate is used for signing the logon tickets. You might remove the obsolete entries in the backends.
