How to Generate and Import SSH Keys in SAP PI/PO?

SSH keys are used as an alternative for password-based authentication. They are effective in simplifying and accelerating the login process when a user tries to access the cloud server. Below, we have provided a step-to-step guide to generating and importing SSH keys in SAP PI/PO based on the two most popular open-source tools—PuttyGen and OpenSSL. Follow these instructions if you’re a novice and willing to learn the entire process of setting up SSH keys in a flash. 

Step 1: Generate a brand new SSH key. 

  • Open Putty Key Gen.
ssh key


  • Click “Generate.”
PuTTy Key


  • Below is how the generated key will look like. 
PuTTy Key Generator
  • Save the public and private keys on your system.
Save Public Key


Save Private Key

Step 2: Open PuttyGen and load the private key that was exported in Step 1.

PuTTy Key Generator1
  • Click “Conversions” and export OpenSSH key.
PuTTy key Generator2
  • Save the file with .pem extension. 
Save Private Key 1


So far, we have generated three keys:

  • .pem is the ppk file exported from Putty in “OpenSSHFormat.”
  • .ppk is generated from PuttyGen.
  • .txt is the public key.


Step 3: If this is the first time you are using Open SSL, you may need to add it to the Environment Variable.



Environment Variable


Open command prompt (may need to be in Administrator mode) and test the Variable:



  • Copy the .pem version of the private key in Openssl >> Bin Folder.
  • Open Command Prompt and navigate to Openssl >> Bin Folder.
Command Prompt


Specify the command.

Command prompt


  • The command has to be in the below format: openssl req -new -x509 -days 3650 -key <PrivateKey.pem> -out <x509_PrivateKey.pem>
Note: In the above example, 3650 is used to give 10 years key. If you want to generate two-year key, specify 730 (i.e. 365*2)
  • Going ahead, answer the below questions and soon x509 certificate will be generated. 
Command Prompt 2


  • Now, generate the PKCS12 key for it.
  • The command has to be in the below format: openssl pkcs12 -export -in <x509_PrivateKey.pem> -inkey <PrivateKey.pem> -out <PrivateKey.p12>

Step 4: Here, we need to import the PKCS 12 in PI/PO. Login to NWA on PI/PO server and go to “Certificates and Keys: Key Storage.” If you already see a “View” for SFTP, use it or create your own view. 

  • Click “Import Entry.”
  • Select PKCS12 and give the .p12 key name. Specify a password.


Entry Point


  • The key is imported successfully.


Step 5: Specify this key in the PI/PO Communication channel as needed.



That’s a wrap to this guide on generating and importing SSH keys in SAP PI/PO. Following these instructions, you can also create expiring or non-expiring SSH keys and import them successfully. The private keys are stored in NWA of SAP PI/PO and must never be shared. The public keys may be shared with the SSH server where you need to connect.