Skip to Content
Technical Articles
Author's profile photo Daniil Bolobonov

Step-by-step Guide to Set Up Inbound Client Certificate Authentication, Cloud Foundry Environment

This blog post aims to provide you with a step-by-step tutorial on how to generate a client certificate (issued by SAP) and use it to trigger integration flow deployed on SAP Cloud Integration tenant in the Cloud Foundry environment. In this example we will be using Postman to mock a sender system.

Please refer to SAP Help Portal documentation Client Certificate Authentication for Integration Flow Processing for any additional information on the process.

Configure and Deploy Integration Flow

In this example we will use a simple integration flow with a single step – Groovy Script. This iFlow is configured to generate a response based of the payload it was initialized with.

You, however, can use any other integration flow of your choice. Just make sure to connect Sender with Start step via HTTPS adapter.

In the HTTPS adapter settings navigate to Connections tab and specify address path to your liking (I opted for ‘/clientCertAuth’). Make sure to set Authorization as ‘User Role’. You can either leave User Role parameter as ‘ESBMessaging.send’ (which is default) or specify a custom role (see Managing User Roles, Cloud Foundry Environment for details).

If you have made any changes to your integration flow, make sure to save it and deploy.

Create Service Instance and Service Key in SAP BTP Cockpit

Next, we need to generate a client certificate that we can use to authenticate a sender when calling the integration flow that we have just deployed. This can be done quite easily in SAP BTP Cockpit.

Please go through Creating Service Instance guide and create an instance with ‘integration-flow’ service plan.

Then go through Creating Service Key guide and create a service key with a ‘Certificate’ key type.

With that, you should be presented with a credentials of the key in JSON format. Click ‘Download’ to store the file on your device.

Create Certificate and Key Files

Next, we need to retrieve certificate and key pair values, format and save them in the separate files.

For that, open the .txt file you have just downloaded, locate ‘certificate’ attribute, copy its value (it starts with ‘—–BEGIN CERTIFICATE—–’ and ends with ‘—–END CERTIFICATE—–\n’) and paste into your favorite text/code editor (I have used VSCode).

Now, we need to format the certificate by replacing all ‘\n’ occurrences with line breaks. To achieve this task, you can utilize Find & Replace feature of your editor.

Validate that your certificate looks similar to the one on the screenshot below:

Notice that there are in fact 3 certificates bundled in one – that is because Process Integration Runtime service instance generates a PEM-encoded certificate chain. The certificate chain contains a root certificate supported by SAP (see Load Balancer Root Certificates Supported by SAP).

Save the certificate with .pem extension – I named it as ‘cert.pem’.

Now, we need to do the same formatting for a key pair. Locate ‘key’ attribute in the same .txt file (it starts with ‘—–BEGIN RSA PRIVATE KEY—–’ and ends with ‘—–END RSA PRIVATE KEY—–\n’), paste the value into your favorite text/code editor and replace all ‘\n’ occurrences so it looks similar to the one on the screenshot below:

Save the key pair with .key extension – I named it as ‘key.key’.

Note: in case your text editor (e.g., Notepad++) doesn’t provide an option to replace all ‘\n’ occurrences with line breaks, what you can do is the following:
Click on Service Key you’ve created to open credentials information, select ‘Form’ tab and copy contents of certificate attribute (here you can see that it doesn’t have any ‘\n’ characters).

Paste the certificate value to your text editor and format it by adding line breaks before and after ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE—–‘, so that it looks similar to the one below (remove all ‘\n’ characters as well if they are automatically added by your text editor)

Save the file with .pem extension.

Proceed with doing the same for key attribute. Make sure that it has the similar structure to the key you see on the screenshot below.

Save the file with .key extension.

Set Up Postman Environment and Send the Request

In your Postman application open Settings.

Navigate to Certificates tab and click on ‘Add Certificate’.

Locate ‘url’ attribute in your .txt file, copy its value (everything apart from https://) – this is your Host. Attach .pem file (as CRT file) and .key file. Finally, click on ‘Add’.

Next, add new request in Postman and enter the endpoint of your deployed integration flow as a request URL. You can grab this URL from Cloud Integration Web UI by navigating to Monitor -> Manage Integration Content.

Finally, set Authorization Type as ‘No Auth’ and send.

In case you have received 200 OK response code – congratulations, you have successfully configured inbound client certificate authentication!

This concludes the step-by-step guide on how to set up inbound client certificate authentication for SAP Cloud Integration in Cloud Foundry environment. By following steps described above you should be able to generate a certificate and a key pair issued by SAP and use them to authenticate a sender when executing a call to Cloud Integration iFlow.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Pankraz
      Martin Pankraz

      Hi Daniil Bolobonov,

      thanks for sharing. There is quite the large amount of this kind of CPI posts about certificate handling already since 2017 like this one by Mandy. I'd like to see more emphasis on actually operationalising the approach. Certificates expire and handling them on individual iFlow level for hundreds of interfaces is impractical.

      Have a look at this post for instance to automatically synch secrets across multiple CPI tenants. In addition to that the feature to assign a technical user with certificates and re-use as availavable in the NEO environment would key to ease the burden of maintainance. It would be a lot more helpful to see content around those lines.

      Thanks for bringing topics back up again in the community.



      Author's profile photo Daniil Bolobonov
      Daniil Bolobonov
      Blog Post Author

      Hi Martin,

      Thank you for your comment!

      Indeed, there are quite some blogs and documentation on this topic. However, we saw that some customers were still struggling with the setup. Therefore, we decided to come up with this detailed step-by-step guide.

      Regarding operational topic. Please note that the client certificate can be reused for many iFlows. In case of this blog, the certificate and the key pair generated here can be reused for every iFlow on a tennant that has ‘ESBMessaging.send’ as User Role parameter in a sender adapter configuration. There is definitely no need to handle certificates on individual iFlow level. Also, please note that validity period of certificate can be configured up to 365 days.

      That said, I agree that blogs that focus on operational side of things (like the one you’ve shared) are really helpful and bring a lot of value. We will definitely review what approach can be suggested here and invite you to collaborate as well!

      Best regards,


      Author's profile photo Vidyadhar Kurmala
      Vidyadhar Kurmala

      Hi Daniil Bolobonov,

      To establish connectivity between S4 and CPI via CERT based authentication, can we import these .pem and .key file into SSL Standard PSE of SAP S4 via STRUST t-code? or this method works only with third parties i.e. non SAP?



      Author's profile photo Daniil Bolobonov
      Daniil Bolobonov
      Blog Post Author

      Hi Vidyadhar Kurmala,

      Yes, you can use these files to establish connectivity between S/4HANA and Cloud Integration.

      You may need to generate .pfx out of .pem and .key. You can do it with the help of openssl, e.g.:

      openssl pkcs12 -export -inkey key.key -in cert.pem -out cert.pfx

      Then you can import this .pfx certificate to S/4HANA via STRUST.

      Also, make sure to import CA certificates to Certificate List in STRUST, so it look similar to this:

      You can find the info on how to download those files from you Cloud Integration tennant in 'Configurations in Sender System’ section of this blog

      Hope this helps.

      Best Regards,

      Author's profile photo Vidyadhar Kurmala
      Vidyadhar Kurmala

      Hi Daniil Bolobonov,

      Thank you very much for your quick response! I worked with Basis few years ago to import the same kind of certs in SAP ECC to establish connectivity between ECC and Neo cloud integration, however during that time, we followed these steps

      1. Create a certificate request in STRUST.
      2. Export the request and get it signed by SAP Trusted list (GoDaddy or DIgicert) by paying certain amount to accept it by CPI load balancer.
      3. import the Signed CSR into Strust.
      4. Add this signed cert to "Certificate to user mapping" in Neo cloud integration overview screen.

      In this scenario, i.e. S4 to CF Cloud integration, since BTP is giving option to choose the certificate while creating the service key, so I believe we can avoid the additional amount to SAP trusted partners to get signed the certificate request and establish connectivity between S4 and CPI by importing the converted pfx file into STRUST.


      Vidyadhar K

      Author's profile photo Daniil Bolobonov
      Daniil Bolobonov
      Blog Post Author

      Hi Vidyadhar Kurmala

      Yes, SAP certificate generated by SAP BTP is already signed. So, as you said, you can just import converted ,pfx file into STRUST (together with Load Balancer Root Certificate). So, no need to sign anything separately.

      Best regards,