SAP Cloud Platform API Management requires certificates containing private key and root certificates in PEM format. These certificates are then packaged in JAR which is uploaded into the Key Store.  In this blog, we have captured the steps to connect to an API endpoint with X509 based client certificate authentication from SAP Cloud Platform API Management.

Existing X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to download an existing Client Certificate using internet explorer and then convert certificate to PEM format.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

Download Certificate with private Key

• Open Internet explorer -> settings -> internet options, navigate to the tab content and then click on certificates

• From the personal tabs, select the certificate that you would like to download and then click Export

 

• Select option Yes, export the private key and click Next

 

• Select PFX option and then click Next

 



 

• Select Password option and then enter and confirm password say abcd. This password should be used during upload certificate jar on API Portal and would be required while generating the certificate with private key in .pem format in section Generate Root Certificate (.cert) and Certificate Private Key (.pem)

 

• Select the file system path to download Certificate and then click Next

 

• Click Finish to download the certificate with Private key

 

Validate Certificate/Key for completeness

All the following steps depend on having the full chain of certificates / trust within the pfx/p12 file.

• To validate this following command in Open SSL can be used

openssl pkcs12 -info -in <filename>

The file must contain the full chain as shown below.



Incomplete chains can potentially be fixed through browser import and export (requires all root/intermediate certificates to be present in trust stores).

If this check is not passed all subsequent steps will not yield expected result.

 

Generate Root Certificate (.cert) and Certificate Private Key (.pem)

The below steps are executed using Open SSL

• Extract certificate with private key in .pem file format

openssl pkcs12 -in <input filename> -nocerts -out <keyfilename>.pem –nodes

• Extract root certificate with certificate chain in .cert format

pkcs12 -in <input filename> -nokeys -out <keyfilename>.pem -nodes

 

Self signed X509 Certificate for Client Certificate Authentication

In this section, we have captured the steps to generate a self signed X509 certificate with private key in PEM which can then be used for Client Certificate authentication. In this case the generated root certificate would have to be imported into the target server.

Note: - This is an option step, in case you already have the certificate with private key in .pem and .cert file format then this step can be skipped

• Generate a certificate with private key (using Open SSL)


• Create a new folder to place the certificate


• In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730

• Enter the password when prompted say abcd. This password should be used during Upload certificate jar on API Portal

 

Generate JAR with Certificates to upload to SAP Cloud Platform API Management

The below steps package the certificate into a jar file. Details is available in SAP Cloud Platform API Management help link.

• Create a JAR file containing your private key, certificate, and a manifest. For example, the JAR file must contain the following files and directories: /META-INF/descriptor.properties,<main>.pem, <privateKey>.pem

A keystore JAR can contain only one certificate. If you have a certificate chain, all certs in the chain must be appended into a single PEM file, where the last certificate is signed by a CA. The certs must be appended to the PEM file in the correct order, meaning: cert -> intermediate cert(1) -> intermediate cert(2) -> … -> root

• In the directory containing your key pair and certificate, create a directory called /META-INF. Then, create a file called descriptor.properties in /META-INF with the following contents: certFile=<main>.pemkeyFile=<privateKey>.pem

• Generate the JAR file containing your key pair and certificate:

 jar -cf myKeystore.jar main.pem privateKey.pem

• Add descriptor.properties to your JAR file:

jar -uf myKeystore.jar META-INF/descriptor.properties

Upload JAR containing certificate to SAP Cloud Platform API Management

 

• Logon to your SAP Cloud Platform account (say https://account.hanatrial.ondemand.com/cockpit).


• Navigate to the Services tab, search for API Management service tile and click to open API Management service.

 

• Click on the link Access API Portal to open API Portal.

 

• Select the option Certificate and click on the option Create

 

• In the UI, select the certificate type as Key Store, select the option New Store. In the store name provide name as idpKeSytore, Name as mykeys. Using the Browse option select the jar created in section Generate JAR for Certificate Upload on API Portal and then click on Create button as shown in the screenshot. The password which was used in Generate Certificates section should be passed as well. (abcd)

 

• Select API Provider tab and then click on Create button

 

• In the create API Provider screen fill system details (important is to check use ssl flag) and then Go to tab AUTHENTICATION and Select previously uploaded key store in parameter Key Store Certificate

 

• Select the Authentication type to None

 

• Select the APIs tab and then click Create button to create an API Proxy which requires the Certificate Authentication and the from the API Provider drop down select the provider created and enter the details your API Proxy and then click Create

 

With this client certificate defined in the API Provider would be used for connecting to your target end points.