Skip to Content

How to Load keys and certificates in SAP PI 7.3, SAP PO 7.3 EHP1 NWA’s Key Storage

In order to support signing and encryption in integration scenarios with SAP Process Orchestration (PO) and/or SAP Process Integration (PI) it is often necessary to load and access public/private keys and certificates from the Key Storage. This blog describes the steps required in order to use that functionality from the Key Storage of SAP NetWeaver. The keys and certificates will be used by a custom adapter module running on SAP PO 7.3 EHP1, but the same procedure can be applied when using standard PI adapters.


  • Integration scenario is Java-only (Advanced Adapter Engine)
  • Keys / Certificates are supplied with the correct size and supported format.
  • Loaded Key pairs (keystore) are of the type .JKS
  • PI and administrator access right to the SAP NetWeaver Administrator tools.

Step 1.  Go to the NetWeaver Administrator page: http://<host>:<port>/nwa


Step 2. Log in to NWA.


Step 3. From NWA, enter “keys” as search query and press Enter.


Step 4. You should now see a window like the one below. Click on Key Storage.


Step 5. On the Key Storage View select “TrustedCA” from the top rows. We are only interested in this type of entry.


Step 6. Click on Import Entry” and select PKCS # 12 Key Pair” as entry type. << Please select the corresponding entry type depending on your own requirements.



Step 7. Browse to the key/certificate stored on your local file system or network, and specify the corresponding password. Click Import” and verify if key was succesfully imported by pressing the tab “View Entriesthe new key to search. A new entry with your key name must appear on the list.


Step 8. From now on your applications (including adapter modules and custom adapters) running on top of the SAP NetWeaver Java Application Server can use (certificates, public and private keys) keys stored on the “TrustedCA’s” keystore.


You must be Logged on to comment or reply to a post.
  • Hi Roberto,


    I referred your blog to perform the same activity and observed that my certificate has an invalid period. After creating the new entries, I see the status as red with expiry date problem.


    Would I need to ask for the FTPs certificate with new valid date or can i moved ahead with the config?




    • Hi Rebecca,


      In my case I also faced the same situation with an almost expired certificate. My experience is that as long as the ceritifcate or key is not really expired, you can carry on with your developments. However, it's good to warn your certificate provider about the expiration date of the certificate so you can replace it on time.


      Cheers, Roberto

  • It is important to note that it is recommended to restart the service in case the SSL certificates are not recognized


    Follow the steps in the NWA to restart SSL Provider:


    1-Operation Management-> Systems-> Start & Stop

    2-JAVA-EE Services> SSL Provider-> Restart


    Best Regards.

    • Yes, I guess the NWA keystore can be used for that purpose too but I don't know if the newest B2B addon modules (such as PGP) also provides that functionality from within the module itself.

  • Hi Roberto,


    I tried as you instruct, but I got the following error during import new PKCS#12 key pair:


    ERROR:  -> ID21108: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.


    What for a problem?




      • Hi Roberto,


        thank you for your reply!


        jks file?


        What I did includs the following steps:

        1. I got the public and private key from customer.

        2. according to the thread


        I imported the public key into the puttygen and export OpenSSH key with name: sftp_test.pem.


        3. in cygwin with OpenSSL utiltiy I converted sftp.test.pem into x509testcert.pem

        It looks like:

        -----BEGIN CERTIFICATE-----



















        -----END CERTIFICATE-----


        4. converted x509testcert.pem into sftp_test.p12.


        5. import sftp_test.p12 into NW keystore and get the above error:

        ERROR:  -> ID21108: Padding error: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 46.


        What for a problem I could make?


        Thanks and nice Weekend