Page tree
Skip to end of metadata
Go to start of metadata
Here you can find some useful information in the topic of creating, maintaining your BNxxxxxxxx.pse.
In case report RPUSVKD0 terminates with an error, please check following points:

Error message 'SSF kernel error: invalid parameter'

While generating a new certificate (BNxxxxxxxx.pse) with the signature algorithm SHA-256 (step 1. of report RPUSVKD0) you get the error 'SSF kernel error: invalid parameter'. All prerequisites described in note '1994240 - Zertifikat erstellen mit SHA256' have to be fulfilled. A new certificate can be generated as written in note '1528670 - SI: Extension of/follow-up application for certificates' at a.) Applying for new certificates.

Error message '/usr/sap/XXX/.../is not in the directory area '/usr/sap/XXX/..../sec/'

Environment variable SECUDIR has to point to directory sec.

Since the PSE-file is accessed with general basic function modules, it has to be placed in the directory these basis function modules are expecting. This is specified with DIR_INSTANCE (see transaction AL11 or report RSPARAM), sub-directory /sec. If you have specified a different physical path for logical path HR_DE_B2A_KK_PSE, the basis function modules (SSF*) will not work. However other log. pathnames (e.g. HR_DE_B2A_KK_ZERTLIST) can be point to other physical pathnames then DIR_INSTANCE/sec.

Either profile parameter DIR_INSTANCE (report RSPARAM) or physical path for log. pathname HR_DE_B2A_KK_PSE has to be adjusted. Please find also valuable help provided in SAP Note 846813.

Error message 'No certificate with your public key found in supplied input'

This error indicates that BNxxxxxxxx.pse where the certificate request (.p10) was created, is not the same file, where you are trying to import the certificate response. Table T5D4X_STAT can be used for orientation, status and time when RPUSVKD0 run (RQ means certificate response created).  In transaction AL11 you can see the change date of BNxxxxxxxx.pse. In table SSF_PSE_H you can see the CDATE (creation date) of your BNxxxxxxxx.pse. This means that the BNxxxxxxxx.pse was saved in that version into the database. You can match this date with the status in table T5D4X_STAT. Try to find here the matching files.

Error message 'Signature algorithm PSE file (&1) <> Signature algorithm list (&2)'

While importing the certificate list it will be checked that PSE has same signature algorithm as the certificates selected for importing into the PSE. Certificate list should be in directory defined in transaction FILE for HR_DE_B2A_KK_ZERTLIST. Name of the file is defined through HR_DE_B2A_KK_ZERTLIST_AGV. Select the correct certificate list. The relevant lists are available on the webpage of the ITSG (Trust center) for downloading.

SHA1: annahme-pkcs.agv

SHA256: annahme-sha256.agv

SAP note 2081715 SV: Einspielen der öffentlichen Zertifikate der Krankenkassen

Error message 'Validity of certificate with PSE type >SSL Client (SV Deutsche Rentenversicherung)< ends in X days'

You can delete this entry in transaction STRUST, since this was relevant to ELENA procedure, which was abandoned.


The p7c file received from ITSG can be imported to the BNxxxxxxxx.pse on the system where the p10 file was created. In case you have more application servers, than you can copy the complete BNxxxxxxxx.pse (once certificate response, and certificate list is imported) to the directory sec on the application server. Only credentials have to be created again, they are valid for one server and cannot be copied.

Other errors:


ITSG Trust Center rejects certificate request because of not permitted signature algorithm. (German version: Sie haben uns eine elektronische Zertifizierungsanfrage (p10-Schluesseldatei) mit einem nicht mehr zulaessigen SHA1-Hashalgorithmus uebermittelt.)

As of December 20, 2013, only certificates with the signature algorithm SHA-256 are allowed. For this reason, you cannot extend certificates (PSE files) that have been created before this date using SHA-1. You must create a new certificate (PSE file). Please process accoding to note 1528670.  


Report SSF_ALERT_CERTEXPIRE lists certificate O=ITSG TrustCenter fuer Arbeitgeber, C=DE (Serialnumber 2A)

This certificate is valid until 02.01.2017


Solution: SAP note 2400067 


Diverse scenarios:

At every system restart a correct BNxxxxxxxxx.pse is overwritten with another (older, incomplete) version.

Possible cause: a version of the BNxxxxxxxx.pse stored in the database (in STRUST)

Solution: run test report RPUSVHD0 and make sure the BNxxxxxxxx.pse is in directory $DIR_INSTANCE/sec. If report RPUSVHD0 shows no errors and the correct validity, then you can use report RPUSVND0 (first with action DEL and then with INS) that will import the BNxxxxxxxx.pse in STRUST. 

Related SAP Notes/KBAs

  • SAP Note 1528670 SV: Verlängerung/Folgeantrag der Zertifikate
  • SAP KBA 1994240 Zertifikat erstellen mit SHA256