When and how to update your SAP Cloud for Customer SSL Client Certificate
Recently our messages from SAP CRM to SAP Cloud for Customer (C4C) stopped working. Everything said it went out from NW PI correctly, but there were no messages in the XML monitor on C4C. In our keystore on NW PI, we could see that our key was expired.
This was the first time this had happened to us and this is what we learned. In the Application and User Management work center, you can see when the certificates you are using will expire by selection Communication Certificates.
Here is one from an SAP internal system that has a certificate that expires in July 2015. When we looked at ours it expired in October, 2014. This meant no messages were going from NW PI to C4C.
To fix this we went to the one of the inbound communication arrangements, for example Business Partner Replication from External System, in the inbound communication settings we selected View All, Technical Data, Edit Credentials. We then had to select Create and Download Key Pair. This created a PKCS#12 file. During the generation the expiration date was updated. Notice it is now 20150718.
Once you do this, when you return to the Communication Certificates in the Application and User Management work center, there is a new expiration date.
We also had to take the certificate and import it into the PI Keystore. Then the keystore is green.
The first time we did this we updated the keystore from the Communication Channel Template and we thought we had to change every template. We then figured out we just had to upload to the NW PI keystore and restart the PI SSL service.
If you are using HCI, you must upload the new certificate to every integration flow.
That’s it! It seems straight forward now, but when the error happened, at first we didn’t know why the messages were failing. We used another tool XPI Inspector that told us there was a security error. Moving forward we will monitor the date in C4C and also in the NWA keystore to know when they will expire. We’ve requested SAP notify customers when the C4C keystore will be expired so we can fix this before the problem happens. So, go check the dates on your certificates!