Skip to Content
Author's profile photo Former Member

How to use Digital Certificates for Signing & Encrypting Messages in XI

The Weblog describes how to attach a digital signature & encrypt a message, when message is sent out using mail adapter

1.How to create Digital certificate in XI ?

Login to the visual admin tool in XI, select the Service node->Key storage->TrustedCAs from the list of nodes.


In the Entry, select create button to generate a new digital certificate,
If you already have the certificate, you can import the certificate using the “Load“ option as shown above.

Enter the following information,when you create a digital certificate


After entering the required information, Select the check box “Store Certificate”. Press “Generate” button to generate the certificate
The digital certificate generated is not trusted. There are some external organizations which will trust the certifcates.
We can also get the certifcates trusted by SAP.
SAP also provides trial certificates which are valid for 8 weeks

In order to get the certificate trusted by the external organizations, Keep the cursor on certificate you have created &
select “Generate CSR request” button. System will request the file name to be stored.


Open the file using note pad, Copy the content


In order get the Trial certificate from SAP, log on to the Service market place using the following URL


Select the option SSL Test server Certificates.


Select the Test it now button, Copy the content of the client certificate request from the file, paste
the content in the space provided & press continue


SAP will generate the test certificate as shown below copy the content into a text file.


Import the Test certificate using the “Import CSR Response” option as shown below


Now the certificate is trusted, We need to distribute the public key to partners to whom we want to collaborate.

2. How to use Digital Certificates in XI ?
While creating the communication channel for mail adapter, select S/MIME button as shown below


In the Receiver agreement, Enter the following parameters

Security Profile : Sign & Encrypt
Enter the certificate for Signature
Enter the certificate for Encryption


These are steps involved for configuring the Digital signature & Encryption for mail adapter.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      You have given a detailed explanation. Keep up the good work.


      Author's profile photo Jian Yang
      Jian Yang
      Hi, could you please explain a little about the key used for the encrption? Where the key is coming from etc...


      Author's profile photo Former Member
      Former Member
      Blog Post Author
         When you want to encrypt a message, you need to get the public key from the partner & need import it into XI & use that in the Receiver agreement. The Receiver will be using the private key to decrypt the message.
      Author's profile photo Henrique Pinto
      Henrique Pinto
      Hey V,

      nice overview on keystore for digital signatures.

      However, I don't think it is a good idea to maintain your end certificate in the Trusted CAs view. It is intended for the Certification Authorities certificates only (a CA certificate is the top most certificate in the certification chain of a properly signed certificate).

      You should use this view if you wanted to use a certificate which was signed by a CA which is not in the Trusted CAs list, then you would import the CA certificate (and only it) in the Trusted CAs view.

      For your end certificates (the certificates which you'll be actually using in your applications), a better aproach would be to use a standard end-certificate view (such as the "Default" view) or to create your custom view.



      Author's profile photo Former Member
      Former Member

      you gave a really good overview about using encryption with the mail adapter, but if I want to use encryption with SOAP or HTTP to consume a web service? Can you give me some light about this topic?

      In my case i need to use PKCS7/CMS standard to do that.

      Thanks in advance.

      Author's profile photo Former Member
      Former Member
      what kind of file do i request to my partener.
      certificate or key or both.
      and in witch format.