Skip to Content
Author's profile photo Michael Van Cutsem

How to Guide – XCA Quick Start Guide

How to Guide

XCA quick start guide



This tutorial comes as an extension to the blog post: “How to Guide – Principal Propagation in an HTTPS scenario”.  In that context, a couple of certificates had to be created to configure the SAP Cloud Connector.  Due to the specific requirements of one of those required certificates we couldn’t use the internal services offered by SAP to sign the certificate.  XCA seemed to be a light and easy way to achieve those tasks of creating and signing certificates.  It also provides enough flexibility to set the specific properties required.

XCA is a tool distributed under BSD license and thus can be used freely without restriction.

Creating a database

The very first time XCA will be used, you will have to create a database to hold all the security assets required relevant to XCA: private and public keys, certificate signing requests, …

Go to “File” menu then select “New Database”

Provide a name to the database you are about to create and press “Save”.

Provide a password for the database and press “Ok”.

You will see that the interface will be slightly different.  The Lists in the app will still be empty but now some columns headers will be present…

Next, the first step will then be to create a Root Certificate that will be used to sign all the certificate will generate and all the certificate signing requests we will get.

Creating a Root Certificate

Go to the third tab of the interface called “Certificates”

Click on “New Certificate” button

Verify that the appropriate signature algorithm is selected (the default SHA-1 can be changed in the properties of the tool).  And ensure that CA is selected as the template for the new certificate.

Then move to the second tab, “Subject”

Provide the relevant data for the distinguish name

Generate a new key for this certificate.  Click on the button at the bottom “Generate a new key”.

Move to the next tab, “Extensions”.

Select “Certificate Authority” as Type.

Move to the next tab, “Key usage” and select the highlighted properties in the screenshot bellow.

Then press the “OK” button to complete.

Press “OK”

Inspecting a certificate

If we want to inspect the certificate that had just been created.  Double click on it.

Creating an identity certificate

Click the “New Certificate” button.

Select the certificate to use to sign the certificate you are about to build

Select the signature algorithm

Ensure that the template used is “HTTPS_client”

Then move on to the next tab, “Subject”

Provide the relevant information for the Distinguished Name

Generate a new key for this certificate

Then move on to the next tab, “Extensions”

Select the “Type” as “End Entity”

Move to the next tab, “Key Usage”

Ensure that Digital Signature is selected

Press OK to complete the creating process

Signing a CSR

In the previous section, we have created a Root certificate using a CA template.  Now we will see how we can sign a CSR using that Root Certificate.

Importing a CSR

Go to the second tab of XCA where all the CSR available to the app are listed.

Click the “Import” button on the right.

Signing the CSR

Right-click on the CSR and select “Sign”

Select the checkbox “Sign this Certificate signing request” and double check that the certificate to sign is correctly reference in the dropdown list next to the checkbox.

Check which certificate should be used to sign and the signature algorithm

Select “HTTPS_client” as the template to use for the new certificate you are about to build.

Then move on to the next tab, “Extensions”

Select “End Entity” as the “Type”

In the case of the certificate required to configure the “CA Certificate” of the SAP Cloud Connector you will have to ensure that the “Certificate Sign” property is enabled.  Remember that this certificate will be used to sign the short-lived certificates that the SAP Cloud Connector will build in the context of Principal Propagation.  Having the ability to sign other certificate is then crucial!

Press “OK “ button to complete the build

Now if you expand the certificate in the certificate pane you will see the signed CSR or the certificate underneath it.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo J A
      J A

      Hello Michael,

      Thanks for the information. I have one question, whats the purpose of the Identity certificate? Is this necessary for the Principal Propagation in an HTTPS Scenario?

      Best Regards,


      Author's profile photo Michael Van Cutsem
      Michael Van Cutsem
      Blog Post Author

      Hi JA,

      The identity certificate is a security artifact that can be used in place of credential to access a secured resource.  In the context of Principal Propagation, the short-lived certificate is an identity certificate, it identifies a user.

      Is the identity certificate a necessity?  No!

      In the overall configuration we have two parts: the security configuration which dictates how the authentication should append between the user and the platform and the SSO mechanism which takes place between the platform and the data source, the SAP System on premise.  While the second is principal propagation in this case, for the first one you can chose something else than certificate based access such as username and password for instance…

      Hope it helps.


      Author's profile photo Bert Deterd
      Bert Deterd

      Hi Michael,


      What is i063866 for a user? Is that your user you are logging into SCP ?




      Author's profile photo Michael Van Cutsem
      Michael Van Cutsem
      Blog Post Author

      Yes, this my SAP User ID...  You saw it at the bottom of some screenshots?


      Author's profile photo Former Member
      Former Member

      Thanks for the information!


      What are the steps involved when it comes to validating the client certificate on the on premise custom solution?

      We have cloud identity installed on our custom app server which is identifying the user and issuing a valid certificate but we wanted to ensure that we have some secure way of validating it on our custom platform.

      Author's profile photo Michael Van Cutsem
      Michael Van Cutsem
      Blog Post Author

      I am not sure I understood your question.

      To verify the client certificate on the SAP System there is a parameter in RZ10 icm/HTTPS/verify_client which instructs the system to request a certificate from the client.  Then a second parameter login/certificate_mapping_rulebased will indicate how to interpret the certificates received. If the last parameter is not specify or set to false then you can use EXTID_DN to perform a manual mapping...

      If CERTRULE is used you will also need to define rules that will dictates how to map the incoming certificate to a user in the sap system.  If there is no way to match the user you won't be able to do anything...

      I don't know if this answer your question...