Skip to Content

How to generate and install a self-signed PKCS12 certificate for SLD of B1 90 or B1H 9.0 or higher version?

Since B1 9.0 and B1H 9.0, a System Landscape Directory (SLD) component has been introduced to manage the all the services of SAP Business One, which is a web application hosted in a tomcat with only SSL connection(https) enabled for secure access.

If you get a warning message “There is a problem with this website’s security certificate.”, when opening the SLD from browsers.

This security enhancement also apply to licenser server of B1H 90, which provides new RESTful License Bridge interfaces to License Manager(More details available in: You may get some error about failure of set up SSL connection in your 3rd party solution, which try to connect the new license API.

It is most likely due to no proper certificate installed in during SLD installation, or  no proper certificate issued from SLD installed in you browser or machine. You can find more details about the sections of SLD and Secure Transportation Layer in the administrator guide of SAP Business One.

This document aims to guide you through how to generate and install a PKCS12 certificate to SLD of SAP Business One 9.0 or SAP Business One, version for SAP HANA 9.0.

1.What is PKCS12?
Definitions quote from Wikipedia:
“In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.[1]

A PKCS #12 file may be encrypted and signed. The internal storage containers, called “SafeBags”, may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer’s choice. [2][3]

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.”

2: How to Generate a PKCS12 keystore and export as certificate?

PKCS12 file generation should be prior to the installation of ServerComponent of B1H 9.0, for the PKCS 12 file may be required if you would like to install the certificate during the installation of B1H.

There are a couple of tools to generate PKCS#12 files(.p12), such as openssl:

However, this document will introduce you how to generate a PKCS12 file with keytool from JVM, which is a standard tool shipped as part of JVM.

Note: The following steps can be run in windows or linux where you have a JVM installed.

Step 1: Check if JDK installed, if not, please download and install JDK.
Step 2: Generate a PKCS12 keystore(.p12 file)

1).Go to the bin folder of JVM with command line:
cd <your jvm path>/bin

2)Generate the key store with command:
./keytool -genkey -alias sld -validity 3650 -keyalg RSA -keystore <A_Stable_folder>/https.p12 -storepass YourKeyPassword -storetype PKCS12

keytool.exe -genkey -alias sld -validity 3650 -keyalg RSA -keystore <A_Stable_folder>/https.p12 -storepass YourKeyPassword -storetype PKCS12

Note: -Please specify a <A_Stable_folder> to store the key store and certificate.-Please replace YourKeyPassword and remember it, which will be used to install the certificate later on.-File name (https.p12) and Alias (sld) are just examples, they can be other names.-There is a section about 8.8 Transport Level Security(page#126) in admin guide, may you refer to guide for explanation.

The following questions will popup.

What is your first and last name?

  [Unknown]:  <your hana host name>

What is the name of your organizational unit?

  [Unknown]:  <your hana host name>

What is the name of your organization?

  [Unknown]:  <your hana host name>

What is the name of your City or Locality?

  [Unknown]:  <your hana host name>

What is the name of your State or Province?

  [Unknown]:  <your hana host name>

What is the two-letter country code for this unit?

  [Unknown]:  <your hana host name>

Is CN=<your hana host name>, OU=<your hana host name>, O=<your hana host name>, L=<your hana host name>, ST=<your hana host name>, C=<your hana host name> correct?

  [no]:  yes

Then you can find the https.p12 file generated in <A_Stable_folder>

Step 3: Export the certificate with command with keytool:  

./keytool -export -alias sld -file <A_Stable_folder>/sld.crt -keystore https.p12 -storetype PKCS12
-export -alias sld -file <A_Stable_folder>/sld.crt -keystore https.p12 -storetype PKCS12

It will ask for the password of your key store.

Then you will find the sld.crt certificate generate in the <A_Stable_folder>.(which need to be copied to your window server, double click to select install as trusted root.)

3: How to install a PKCS12 certificate for SLD of SAP Business One 9.0 or SAP Business One, version for SAP HANA 9.0?

During the installation the ServerComponent. Please specify a PKCS12 store and certificate password. Select the https.p12 created in step 2 and enter the password for the key store.

4.How to Update the certificate for SLD?

Since PL13 of B1 90 and B1H 90, a tool is published by SAP to enable you to update the certificate post installation of ServerTools of B1 90 or Server Component of B1H 90. You can find more details in SAP note 2046101  

5: How to install the certificate of SLD into a Windows machine where you would like to access SLD or License Manager interfaces?

1).Copy the sld.crt certificate file to the window server

2).Double click the sld.ct to install the certificate,  in the select certificate store window, select the certificate store Trusted Root Certificate.

To install the certificate in IE, please refer the page#131 of admin guide.

You must be Logged on to comment or reply to a post.
  • Great article, Yatsea.

    Just want to add this: since PL13, a new tool is available for updating the certificate after installation for both 9.0 on SQL and HANA. See SAP Note 2046101 for details.

    • Hi San,


      Thanks for the suggestion. I just added another session about 4.How to Update the certificate for SLD.


      Kind Regards, Yatsea