Show TOC

 X.509 Client CertificatesLocate this document in the navigation structure

As an alternative to authenticating with a user ID and passwords, users can present X.509 client certificates for accessing Web applications. In this case, user authentication takes place using the underlying Secure Sockets Layer (SSL) protocol and users do not need to interactively enter a password for logon.

For an overview of the authentication process flow when using X.509 certificates, see the figure below.


X.509 Certificate Authentication Flow

Authentication with X.509 Certificates makes use of a Public Key Infrastructure (PKI) to securely authenticate users. After users receive their X.509 certificates from a certificate issuing Certification Authority (CA), they can use them to securely access SAP NetWeaver, as well as non-SAP systems. The SAP NetWeaver and the non-SAP system can authorize access requests, based on an established trust relationship with the CA.

In addition, users can use their X.509 certificates to authenticate their access to systems located on the Internet and within your company Intranet. Thereby, you can use certificates for authentication in open environments such as the Internet.


SAP Single Sign-On can issue X.509 certificates. SAP Single Sign-On includes a PKI infrastructure specially made for the requirements of SAP systems.

For more information, see SAP Single Sign-On .


  • You have deployed a public key infrastructure to support issuing public key certificates to users. For more information, see Public-Key Technology .
  • To use certificates for authentication with AS ABAP, the AS ABAP must be release 4.5B or higher.
Security Considerations

X.509 certificates use industry standard cryptographic mechanisms to securely authenticate user access. The exchange of the authentication credentials between the front-end Web client and the AS ABAP, AS Java or non-SAP system is secured through the use of public key cryptography and the underlying SSL protocol. For additional security, you can also enable mutual authentication, where both the front-end client and the back-end application server exchange X.509 certificates to mutually establish their identities.

When using X.509 client certificates and SSL for user authentication, you should note the following:

  • Your users need to possess valid certificates signed by a trusted CA. You can either establish your own CA and distribute certificates to your users yourself, or you can rely on a Trust Center service. The CA you choose to use must be designated as a trusted CA on the accepting SAP NetWeaver system.
  • Users should be informed about how to protect their private key.

    When using authentication with client certificates, each user needs to possess a key pair, consisting of a public and a private key. The public key is contained in the X.509 client certificate and can be made public. However, the user's private key needs to be kept safe.

    The possibilities available for securing the private key depend on the Web browser that you use. (For example, you may be able to protect it with a password or you may be able to use smart cards.) If the private key is stored on the front-end client, your users should use screensavers protected with a password.

  • If users share Web browsers for clients, then note the following:

    As long as the operating system separates and protects user data at the operating system level (for example, Windows NT), then the private key stored on the Web front-end client is protected by the operating system.


    We recommend that you do not store the private key on the Web client frontend when using an operating system that does not separate user data (for example, Windows 95).


For more information about enabling authentication with X.509 client certificates, see Using X.509 client certificates .