client certificate authentication in SAP PI/PO

Generate and Use Client Certificate Authentication in SAP PI/PO – A Quick Guide

SAP PI /PO supports client certification authentication using Java KeyStore. However, to enable it, users will have to generate the KeyStore outside of PI/PO. This article outlines the steps that users must follow to generate KeyStore using KeyStore Explorer, a third-party tool, and import it PI/PO. So, let’s start.

  1. First, make sure that you have JDK or JRE installed on the local system.
  2. Now, set the JAVA_HOME parameter to JDK or JRE folder. 

    java home
  3. As you can see, JAVA_HOME is being set properly by running echo %JAVA_HOME%. This will show the path to JRE or JDK.
  4. Next, we need to create a KeyStore. Open KeyStore Explorer (this is a freeware and can be downloaded from, and go to ‘Create a new KeyStore’. PI/PO needs PKCS12, so select that option.

    key store
  5. Fill in the required entries.

     required entries
  6. Now generate the CSR Request. 

    CSR request
  7. Send the CSR request to a certificate issuing authority. Please ask them to provide them the CA certification as well. 
  8. Once CSR response is received, go to the KeyStore explorer, and open the Private Key.

    Private Key
  9. Import the CSR Response.

     CSR Response

  10. Login to SAP PI/PO, and go to “Certs”->TrustedCA’s. Also, import the Private Key. 

    import the Private Key
  11. Click ‘Import CSR Response’.

    Import CSR Respons
  12. Click ‘Choose File’, select the CA certification, press ‘Add’, and select the CSR response.

    CSR response
  13. Select ‘Import’. This should show you the Private Key as well as the certificate for it.

  14. Once done, make sure that the SSL certificate chain associate with the HTTPS URL is also imported in the PI. 
  15. Open the SSL URL in the browser, and download all the SSL certificates.

    SSL certificates
  16. Import certificates in Certs->TrustedCA.


    SSL certificates
  17. In the communication channel, specify the Private Key. There is no need to specify the SSL certificates in the communication channel. 

      communication channel

Using the above-mentioned steps, you can successfully setup client certificate authentication in SAP PI/PO. Please note that some vendors accept self-signed certificates. In such a case, you can generate the CSR Response by yourself (no need to send CSR request to certification-signing authority). However, the majority of the vendors need certificates signed by third-party authorities. When such a scenario runs by, you need to send CSR request to them, and pay a certain fee to get the CSR Response back.