Skip to Content
Author's profile photo Cristiano Hansen

How to create the CSR and how to import the certificate response?

The process of creating a certificate request (CSR) and import the certificate response, received from the CA, is not always simple as it looks like. The objective here is to make life easier using the principle: “a picture is worth a thousand words”.

How to create the CSR?

The first step is double click on the web application server name:


Now click on the “Create Certificate Request” button:


Now it is possible to submit the CSR to any CA:


How to import the certificate response?

Once response from the CA arrived, it is possible to import the certificate response. Just click on the “Import Cert. Response” button, available in the “Own Certificate” section:


It is necessary to paste the certificate response along with the intermediate and the root certificate – there can be no, one or more intermediate certificates.

In this example, there is only the root certificate that is appended to the end of block.

Finally, click on the green ticket:


Note that now there is no “(Self-Signed)” message bellow the DN of the certificate (see green rectangle). Now save the PSE (see arrow):


The ICM processes need to be restarted, if the release is lower than 7.02 (details in SAP note 510007):


By double clicking the DN of the certificate, it is possible to have more information about it:


In higher releases, you will also find the Algorithm, the Key Length and SAN information.

The ICM should be restarted (again, if the release is lower than 7.02) via transaction code SMICM (confirm the restart of the ICM processes):


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vladimir Demakov
      Vladimir Demakov

      Thank you! Very helpful!

      Author's profile photo Juan-Carlos Garcia-Garavito
      Juan-Carlos Garcia-Garavito

      Thanks, although it would be better if the information is more complete.  Just an example:  You mention "Create Certificate Request", but what type of algorithm to use?  PSE or SHA?  but if SHA, then which type 1, 224, 256, 512?  A little more elaboration would be good or to point to specific links where that is explained better.  There are tons of notes and blogs about this, but so far not one that explains a step by step set of activities.

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Juan-Carlos,

      I will create a more comprehensive blog, with detailed steps.

      As soon as it is ready, I'll reply to you again.

      Kind regards,


      Author's profile photo Aditya Sehrawat
      Aditya Sehrawat

      Hi Christano,


      Is it ready ? please share the link if ready.




      SAP Basis

      Author's profile photo Badalott .
      Badalott .

      Hi Juan Carlos,

      feel free to provide info to improve this wonderful hints provided by Cristiano.

      I haven't found any document warning about this issue: "It is necessary to paste the certificate response along with the intermediate and the root certificate – there can be no, one or more intermediate certificates."

      And, it is, indeed,  very helpful.


      Thanks a lot, Cristiano.


      Author's profile photo Former Member
      Former Member

      Thank you Cristiano--this is very helpful.  As you said, it is slightly outdated (almost five years) so i will upload a newer version and give you due credit.  Thank you again!



      Author's profile photo Saroop Reddy Chidirala
      Saroop Reddy Chidirala

      Thanks for detailed explanation. In one of my system when I did this signed certificate was missing under Instance-Specific and when we open https URL we are getting a message that hostname in the website's security certificate differs from the website you are trying to visit.

      When we tried to check the certificate from browser we see issued by shows * <FQDN>. When I imported certificate response manually under Instance-Specific issue is fixed.

      My question is when we import the signed certificate response does it get automatically added to all the instances listed under SSL Server Standard --> Instance-Specific ?