Show TOC

Procedure documentationSending the Certificate Requests to a CA Locate this document in the navigation structure


After you have generated a key pair and certificate request for each PSE, send the certificate requests to a CA to be signed. The response from the CA is a signed public-key certificate for the server to use to identify itself when it is using the designated PSE.


You can send the certificate requests to the CA of your choice, for example, the SAP CA. When requesting the certificate, note that the corresponding certificate request response from the CA must be available in one of the following formats:

  • PKCS#7 certificate chain format

    In this case, the issuing CA provides the certificate request response in the necessary format. For example, the SAP CA provides the response in this format, or you can request this format from your CA.

  • PEM format

    In this case, the certificate request response from your CA contains only the signed public-key certificate. In this case, you must also have access to the CA's root certificate. If you are using the trust manager, then this root certificate must exist in the database. If you are using sapgenpse, then it must exist as a file in the file system.


For each certificate request that you created, send the contents of the certificate request to your CA.

The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at

Note Note

To view the contents of the certificate, open the certificate request with a text editor. Because many editors use hidden characters for formatting, use a text editor that does not support formatting features, for example, Notepad. If carriage returns or line feeds have been corrupted during download, then correct these errors.

End of the note.

Note Note

The example below shows a correct certificate request.












End of the note.


The CA will validate the information contained in the certificate request (according to its own policy) and return a response that contains the signed public-key certificate.