Community
Integration Blog Posts
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Using Client Certificate Authentication in SAP CPI HTTP Receiver Adapter

jagadee
Explorer
‎2026 Feb 17 9:17 AM
2,241

Introduction

Hi friends, in this blog lets see how to configure the HTTP receiver adapter using client certificate auth type and step by step explain how a PKCS#12 (.p12) certificate is stored in the Keystore, which I have explored in my recent Integration flow development.

What is Client Certificate Authentication?

Client certificate authentication, also known as a mutual authentication method / mutual TLS (mTLS), ensures that:

  • The client (SAP CPI) authenticates itself to the server

  • The server also presents its certificate to CPI

  • Both sides trust each other using certificates issued by trusted CAs

Unlike basic or OAuth authentication, client certificate authentication relies on X.509 certificates and private keys, not usernames or tokens.
For more information about client certificate authentication, refer to the link:

https://help.sap.com/docs/integration-suite/sap-integration-suite/client-certificate-authentication-... 

Files Provided by the Partner

Our 3rd party client (receiver system) has provided 

  • certificate.crt — signed client certificate (after providing the signing request)

  • private_key.key — private key (We need to generate this via OpenSSL if it is a Production tenant)

  • certificate-chain.pem — intermediate/root CA certificates

To establish the connection, all three must be updated in the tenant keystore, since SAP CPI does not accept .key files directly, these files must be converted directly into a PKCS#12 (.p12) format.

Creating the P12 File

The .p12 file contains:

  • Client certificate (eg, certificate.crt)

  • Private key (eg, private_key.key)

  • CA certificate chain (Intermediate + Root certificates) (eg, certificate-chain.pem) 
    Screenshot 2026-02-09 194950.png

Using OpenSSL /Command prompt:

Open the command prompt from the same folder in which all these files are stored. 

Enter the command below, and it will ask you to set the password. After you enter the password, it generates the p12 file in the same folder.

openssl pkcs12 -export \
-in certificate.crt \
-inkey private_key.key \
-certfile certificate-chain.pem \
-out client.p12 \
-name "client-cert"

jagadee_0-1770647299164.png


Note: An export password is required and will be used later during upload into CPI.

Uploading the Certificate to SAP CPI Keystore

  1. Log in to SAP Cloud Integration

  2. Go to Monitor → Keystore

  3. Choose Add → Key Pair

  4. Upload client.p12

  5. Enter the export password

  6. Save

The certificate is now securely stored and managed by CPI.

jagadee_1-1770647370522.png

jagadee_3-1770647684377.png

jagadee_4-1770647801131.png

 

Configuring the HTTP Receiver Adapter

In your integration flow:

  1. Add an HTTP Receiver Adapter

  2. Set Authentication to: Client Certificate

  3. In the Credential Name field, select the alias of the uploaded .p12 from the Keystore.

jagadee_2-1770647546379.png

 

Security Best Practices

  • Protect the .p12 password

  • Use separate certificates for PROD and NON-PROD

  • Monitor certificate expiry dates

Conclusion

Client certificate authentication is a secure and reliable option. Using a P12 certificate from the keystore with the HTTP Receiver Adapter keeps authentication simple and secure.

Thank you for reading this blog. I hope this helps you with your integration. When I started this integration development, I uploaded all the keystore documents separately, but it still ended up failing. Also, I couldn’t find any reference blog on how to handle this. So, I want to share this with others. If you feel this is a long procedure (as I do), please share your ideas and feedback in the comments.

1 Comment