Skip to Content
Technical Articles
Author's profile photo Joerg Aldinger

How to renew your SAP B1 Authentication Service Certificate

Hello all,

If you are like me, you don’t like paying for something that is available for free. One such example are SSL certificates. is a great service for free SSL certificates, if you know a little scripting to automate it all. We have been using Letsencrypt certificates in B1 installations of all types and for all kinds of services for several years now: ServiceLayer, SLD (Mobile Service), B1 Integration Framework, API Gateway, etc.

With SAP Business One 10.0 FP2208 a new service was introduced: The authentication service used for IAM (Identity and Access Management).

Unfortunately, no official documentation (that I know of) has been released specifying how to update the certificate used for the service, which by default runs on port 40020.

So here is our procedure to update the certificate (which in the case of regularly renews every 60 days by default).

First of all, during upgrade of any installation, be aware that the authentication service by default uses the certificate used during the previous installation or upgrade, from the installation path (not from the currently running path). Since that is very likely at least a few months back you will probably end up with an expired certificate on the authentication service immediately after upgrade. Important to note, however, is that the same password is used for the initialization of the keystore.

So be sure to know your certificate password, it is used both in the original keystore “your-certificate.p12” as well as in the destination keystore “keycloak.jks”.

Now, with your updated certificate downloaded (or generated on the same server), you can use the following command to update the Java Keystore used by the authentication service:

/usr/sap/SAPBusinessOne/Common/sapmachine_11/bin/keytool \
  -importkeystore \
  -deststorepass "VerySecretP@ssword" \
  -destkeypass "VerySecretP@ssword" \
  -destkeystore /usr/sap/SAPBusinessOne/Common/keycloak/standalone/configuration/keycloak.jks \
  -srckeystore your-certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass "VerySecretP@ssword" \
  -alias 1 \

You can of course skip the backslashes if you write the command on a single line.

Once that completes successfully, just restart the authentication service:

service sapb1servertools-authentication restart

And you should be good to go.

If you want to the check the service is responding with the renewed certificate, you can use the following command:

openssl s_client \
  -showcerts \
  -servername localhost \
  -connect localhost:40020 </dev/null 2>/dev/null \
  | openssl x509 -text \
  | sed -n "s/^.*Not After : \(.*\)$/\1/p"

This is what you should be seeing, confirming that the deployed certificate is indeed valid until April 21, 2023, in this case:

I hope this information is helpful!

All the best,


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Darius Heydarian
      Darius Heydarian

      Thank you Joerg, sharing is caring!

      This is what makes our SME Ecosystem so special in the market, we stand up for each other.

      I forwarded your feedback right away to our user assistance colleagues to check the existing documentation and will give you an update on this soon.

      Long time no see, I hope we can see again soon,

      Author's profile photo Darius Heydarian
      Darius Heydarian

      Hi Joerg,

      we added the following new topics in the IAM guide:

      Renewing the Security Certificate

      Changing the Port Number for Authentication Service

      The topics have been published on the SAP Help Portal.

      Best regards,