Skip to Content
Author's profile photo Barb JuddSDK

When and how to update your SAP Cloud for Customer SSL Client Certificate

Recently our messages from SAP CRM to SAP Cloud for Customer (C4C) stopped working. Everything said it went out from NW PI correctly, but there were no messages in the XML monitor on C4C.  In our keystore on NW PI, we could see that our key was expired.


This was the first time this had happened to us and this is what we learned.   In the Application and User Management work center, you can see when the certificates you are using will expire by selection Communication Certificates. 


Here is one from an SAP internal system that has a certificate that expires in July 2015. When we looked at ours it expired in October, 2014. This meant no messages were going from NW PI to C4C.


To fix this we went to the one of the inbound communication arrangements, for example Business Partner Replication from External System, in the inbound communication settings we selected View All, Technical Data,  Edit Credentials.   We then had to select Create and Download Key Pair.  This created a PKCS#12 file.  During the generation the expiration date was updated.  Notice it is now 20150718.  


Once you do this, when you return to the Communication Certificates in the Application and User Management work center, there is a new expiration date. 

We also had to take the certificate and import it into the PI Keystore.  Then the keystore is green.


The first time we did this we updated the keystore from the Communication Channel Template and we thought we had to change every template.  We then figured out we just had to upload to the NW PI keystore and restart the PI SSL service.   

If you are using HCI, you must upload the new certificate to every integration flow.  

That’s it!  It seems straight forward now, but when the error happened, at first we didn’t know why the messages were failing.  We used another tool XPI Inspector that told us there was a security error.   Moving forward we will monitor the date in C4C and also in the NWA keystore to know when they will expire.  We’ve requested SAP notify customers when the C4C keystore will be expired so we can fix this before the problem happens.  So, go check the dates on your certificates!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ginger Gatling
      Ginger Gatling

      Great tips!  Thanks for sharing the issue and how to resolve it!  I'll go check my certificate dates now!  Thanks!!!

      Author's profile photo Prakash Arunachalam
      Prakash Arunachalam

      Hi Barb,

      This is great and thanks for sharing the issue in a blog.



      Author's profile photo Harish Choudhary
      Harish Choudhary

      Hello Barb,

      This is great blog.. it will surely help..

      Thanks for sharing....



      Author's profile photo Former Member
      Former Member

      Dear All ,

      We are getting below error while send the Business partner from C4C to ECC Via PO . we have done all basic setting belongs integration . but still getting below error

      Note : 1.Basically we can able to post the data with the  URL  from SOAPUI .
      2: when i check the service monitoring after created new customer in SAP C4C the parent message id status {successful {
      3.But when i checked child message its showing below message .

      Please help on this .

      SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")


      Author's profile photo Barb JuddSDK
      Barb JuddSDK
      Blog Post Author

      Dear Pravenn,
      We have seen that error before when the web dispatcher is down.

      Author's profile photo Giulia Felappi
      Giulia Felappi

      Hello Barbara,
      great article, thanks for sharing.

      I have a question for you: we are currently using the scenario C4C – HCI – ERP.

      For the Outbound communication (C4C > ERP), we downloaded the C4C client certificate from a communication arrangement and uploaded it in the various integration flows on HCI.

      For the Inbound communication (ERP > C4C), in the inbound certificate section of the communication arrangement we uploaded our HCI client certificate provided by SAP.

      How  can we renew the C4C client certificate (only used for outbound communication) without deleting and reuploading the HCI certificate in every communication arrangement?