Skip to Content

When and how to update your SAP Cloud for Customer SSL Client Certificate

Recently our messages from SAP CRM to SAP Cloud for Customer (C4C) stopped working. Everything said it went out from NW PI correctly, but there were no messages in the XML monitor on C4C.  In our keystore on NW PI, we could see that our key was expired.


This was the first time this had happened to us and this is what we learned.   In the Application and User Management work center, you can see when the certificates you are using will expire by selection Communication Certificates. 


Here is one from an SAP internal system that has a certificate that expires in July 2015. When we looked at ours it expired in October, 2014. This meant no messages were going from NW PI to C4C.


To fix this we went to the one of the inbound communication arrangements, for example Business Partner Replication from External System, in the inbound communication settings we selected View All, Technical Data,  Edit Credentials.   We then had to select Create and Download Key Pair.  This created a PKCS#12 file.  During the generation the expiration date was updated.  Notice it is now 20150718.  


Once you do this, when you return to the Communication Certificates in the Application and User Management work center, there is a new expiration date. 

We also had to take the certificate and import it into the PI Keystore.  Then the keystore is green.


The first time we did this we updated the keystore from the Communication Channel Template and we thought we had to change every template.  We then figured out we just had to upload to the NW PI keystore and restart the PI SSL service.   

If you are using HCI, you must upload the new certificate to every integration flow.  

That’s it!  It seems straight forward now, but when the error happened, at first we didn’t know why the messages were failing.  We used another tool XPI Inspector that told us there was a security error.   Moving forward we will monitor the date in C4C and also in the NWA keystore to know when they will expire.  We’ve requested SAP notify customers when the C4C keystore will be expired so we can fix this before the problem happens.  So, go check the dates on your certificates!

You must be Logged on to comment or reply to a post.
  • Dear All ,

    We are getting below error while send the Business partner from C4C to ECC Via PO . we have done all basic setting belongs integration . but still getting below error

    Note : 1.Basically we can able to post the data with the  URL  from SOAPUI .
    2: when i check the service monitoring after created new customer in SAP C4C the parent message id status {successful {
    3.But when i checked child message its showing below message .

    Please help on this .

    SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")


  • Hello Barbara,
    great article, thanks for sharing.

    I have a question for you: we are currently using the scenario C4C – HCI – ERP.

    For the Outbound communication (C4C > ERP), we downloaded the C4C client certificate from a communication arrangement and uploaded it in the various integration flows on HCI.

    For the Inbound communication (ERP > C4C), in the inbound certificate section of the communication arrangement we uploaded our HCI client certificate provided by SAP.

    How  can we renew the C4C client certificate (only used for outbound communication) without deleting and reuploading the HCI certificate in every communication arrangement?