After you have generated a key pair and certificate request, you must send the certificate request to a CA to be signed. The response from the CA is a signed public-key certificate for the server.
You can send the certificate request to the SAP CA or another CA of your choice. Note however, the trust manager requires that the certificate request response adheres to the PKCS#7 certificate chain format. This means that the response contains both the requester's signed public-key certificate as well as the CA's root certificate. As an alternative, the CA may issue a standalone certificate in PEM format. Note the following:
PKCS#7 certificate chain format
In this case, the issuing CA provides the certificate request response in the necessary format. For example, the SAP CA provides the response in this format, or you can request this format from your CA.
PEM format
As an alternative, you may receive a certificate request response from your CA in PEM format, which contains only the signed public-key certificate.
In this case, the CA's root certificate must also exist in the database. The trust manager then automatically modifies the certificate request response so that it exists in the necessary format before importing it into the server's PSE.
For each certificate request that you generated:
If you saved the contents of the request to a file, then make sure the contents have not been corrupted during download. For example, if you generate the certificate request on a UNIX system and save it to a Windows front-end client, the line feeds and carriage returns may be replaced with special characters.
To check the contents, open the certificate request with a text editor and repair any corrupt line feeds or carriage returns. Because many editors use hidden characters for formatting, use a text editor that does not support formatting features, for example, Notepad.
The example below shows a correct certificate request.
-----BEGIN CERTIFICATE REQUEST-----
MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS
BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK
BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i
4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF
AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2
MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC
QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC
zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi
+6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=
-----END CERTIFICATE REQUEST-----
Send the contents of the certificate request to the CA of your choice.
The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcs.
The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate.