client certificate authentication in SAP PI/PO

Generate and Use Client Certificate Authentication in SAP PI/PO – A Quick Guide

SAP PI /PO supports client certification authentication using Java KeyStore. However, to enable it, users will have to generate the KeyStore outside of PI/PO. This article outlines the steps that users must follow to generate KeyStore using KeyStore Explorer, a third-party tool, and import it PI/PO.

Our goal is to provide a comprehensive, point-to-point guide to help enterprises lead through the process of generating the KeyStore outside of PI/PO. However, if you’re confused or unable to decide what to do, Kellton Tech can assist. We have decades of experience in implementing end-to-end SAP implementation services and understand what your business needs to drive value with intelligence, everywhere.

Now that you know we’re here to guide you, let’s dive right in.

How to Generate KeyStore for SAP PI / PO?

  1. First, make sure that you have JDK or JRE installed on the local system.
  2. Now, set the JAVA_HOME parameter to JDK or JRE folder. 

    java home
  3. As you can see, JAVA_HOME is being set properly by running echo %JAVA_HOME%. This will show the path to JRE or JDK.
  4. Next, we need to create a KeyStore. Open KeyStore Explorer (this is a freeware and can be downloaded from, and go to ‘Create a new KeyStore’. PI/PO needs PKCS12, so select that option.

    key store
  5. Fill in the required entries.

     required entries
  6. Now generate the CSR Request. 

    CSR request
  7. Send the CSR request to a certificate issuing authority. Please ask them to provide them the CA certification as well. 
  8. Once CSR response is received, go to the KeyStore explorer, and open the Private Key.

    Private Key
  9. Import the CSR Response.

     CSR Response

  10. Login to SAP PI/PO, and go to “Certs”->TrustedCA’s. Also, import the Private Key. 

    import the Private Key
  11. Click ‘Import CSR Response’.

    Import CSR Respons
  12. Click ‘Choose File’, select the CA certification, press ‘Add’, and select the CSR response.

    CSR response
  13. Select ‘Import’. This should show you the Private Key as well as the certificate for it.

  14. Once done, make sure that the SSL certificate chain associate with the HTTPS URL is also imported in the PI. 
  15. Open the SSL URL in the browser, and download all the SSL certificates.

    SSL certificates
  16. Import certificates in Certs->TrustedCA.


    SSL certificates
  17. In the communication channel, specify the Private Key. There is no need to specify the SSL certificates in the communication channel. 

      communication channel

Using the above-mentioned steps, you can successfully setup client certificate authentication in SAP PI/PO. Please note that some vendors accept self-signed certificates. In such a case, you can generate the CSR Response by yourself (no need to send CSR request to certification-signing authority). However, the majority of the vendors need certificates signed by third-party authorities. When such a scenario runs by, you need to send CSR request to them, and pay a certain fee to get the CSR Response back.

Wrapping Up

Kellton Tech has diverse experience in rolling out critical SAP implementation services and cater to complex requirements of our clients through agile processes. From innovation, design to development and delivery, our experts are well-equipped to address end-to-end needs in a tailor-made approach and infuse the DNA of your organization with business intelligence. If you are uncertain about how to enable client certification for SAP PI/PO or making a stumbling progress, stop everything and hire our SAP experts now.