Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

STEPS for Generating Private Key to import in SAP PI/CPI Secure Store

dhawal_patil
Participant
‎2025 Mar 09 3:27 PM
0 Kudos
3,536

Concept of Key-Based Authentication for SFTP:

SSH (Secure Shell) is a protocol used to securely connect to remote servers like SFTP. One of the most secure methods of authentication in SSH is using SSH keys. This method involves a pair of cryptographic keys: a public key and a private key.

Key Pair Generation:

  • The user (SAP PI being the user) generates a pair of cryptographic keys: a public key and a private key. The private key is kept secret, while the public key can be shared.

Public Key Upload:

  • The user uploads their public key to the SFTP server. This is typically done by adding the public key to the ~/.ssh/authorized_keys file on the server.

Private Key Usage:

  • When the user attempts to connect to the SFTP server, the client (i.e. SAP PI) uses the private key to sign a challenge from the server.
  • The server verifies the signature using the stored public key. If the signature is valid, the user is authenticated.

Prerequisites:

  • For windows, OpenSSL or GIT for Windows should be installed. (If you are using a Linux or mac, OpenSSL is likely pre-installed, and you can just use it from terminal)
  • If you are using GIT in windows, your environment variable “PATH” should contain the file path “…\Git\usr\bin”.
  • If you do not have admin access in your windows PC, you can edit PATH from:
    • Control Pantel > User Accounts > User Accounts > Change my environment variables (to the left panel)

Step 1: Create Private Key Pair: (Skip to Step 2 if you have a key pair)

Using PuTTYgen: (Courtesy: https://www.ssh.com/academy/ssh/putty/windows/puttygen)

  1. Open PuTTY Gendhawal_patil_3-1741532782252.png

     

  2. To create a new key pair, select the type of key to generate from the bottom of the screen.
  3. Click Generate and start moving the mouse within the Window. Putty uses mouse movements to collect randomness. The exact way you are going to move your mouse cannot be predicted by an external attacker. You may need to move the mouse for some time, depending on the size of your key. As you move it, the green progress bar should advance.dhawal_patil_4-1741532879510.png

     

  4. Once the progress bar becomes full, the actual key generation computation takes place. This may take from several seconds to several minutes. When complete, the public key should appear in the Window. You can now specify a passphrase for the key.
  5. You should save at least the private key by clicking Save private key. It may be advisable to also save the public key, though it can be later regenerated by loading the private key (by clicking Load).

This public key can be shared with third parties, enabling them to include it among their authorized keys on their server.

 

Using OpenSSL:

  1. Go to the folder where in you want to save your private key and type CMD in file explorer address bar. (For Linux, right click and choose option “open in terminal" & For Mac, use the command CD)
  2. In command prompt/terminal type the following command (Replace the key name as per your requirement):
    • openssl genrsa -out keypair.pem 2048
  3. To extract the public part, use the following command (Replace the key name as per your requirement):
    • openssl rsa -in keypair.pem -pubout -out publickey.pem
  4. Your private key “keypair.pem” and public key “publickey.pem” will be saved and available in your current folder.

Step 2: Convert PPK to PEM using PuTTYgen.  (Skip if key pair is already in. PEM format)

(Courtesy: https://repost.aws/knowledge-center/ec2-ppk-pem-conversion)

  • Start PuTTYgen. For Actions, choose Load, and then navigate to your .ppk file.
  • Choose the .ppk file and then choose Open.
  • (Optional) For Key passphrase, enter a passphrase. For Confirm passphrase, re-enter your passphrase.
  • Note: Although a passphrase isn't required, it's a best practice to specify one. This is a security measure to protect the private key from unauthorized use. A passphrase makes automation difficult, because users must manually log in to an instance or copy files to an instance.
  • From the menu at the top of the PuTTY Key Generator, choose Conversions, Export OpenSSH Key.
  • Note: If you didn't enter a passphrase, then you receive a PuTTYgen warning. Choose Yes.
  • Name the file and add the .pem extension. Select save.

 

Step 3: Generate a self-signed x503 certificate:

  • Open Command prompt/terminal in the directory where you have your private key file.
  • Execute the following command to generate a self-signed x503 certificate using the private key:
    • openssl req -new -x509 -days 3650 -key keypair.pem -out x509_Private.pem
  • Enter the passphrase and then it will prompt to enter some more parameters.
  • Note: Only country is mandatory parameter.

Step 4: Generate compatible PKCS#12 file:

  • To upload the private key and self-signed certificate in SAP PI/CPI/IS, we need to generate a PKCS#12 file.
  • A PKCS#12 file, also known as a PFX (Personal Information Exchange) file, is a binary format file that can store a private key along with its associated digital certificate(s). PKCS#12 is a standard defined in the Public-Key Cryptography Standards (PKCS) and is often used to bundle a private key and its corresponding certificate chain into a single encrypted file.
  • Execute the following command to generate a compatible PKCS#12 key:
    • openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in x509_Private.pem -inkey keypair.pem -out PrivateP12.p12dhawal_patil_6-1741533450020.png

       

  • Parameters “-keypbe PBE-SHA1-3DES” and “-certpbe PBE-SHA1-3DES” specify the encryption algorithms to encrypt private key and certificate while creating our PKCS#12 file.
  • When we do not specify these parameters, the PKCS#12 is generated using encryption algorithm AES-256.
  • Most versions of SAP PI and SAP CPI/IS do not support PBE algorithm AES-256. Hence, we specify SHA1-3DES algorithm for encrypting our certificate and private key.
  • Your .p12 file is generated and can be imported into SAP PI/CPI secure store.

 

Note: There are various methods to generate a private key and signed certificate for your PI/CPI system. The method demonstrated in this blog is the most commonly used by basis administrators, based on my observations. While I am not a basis administrator myself and apologize for any potential inaccuracies in my approach, I am confident that this method for creating keys for SSH logon is effective.