Skip to end of metadata
Go to start of metadata


The Purpose of this page is to provide further information regarding how to convert the certificates from a .p7b file into Base64 (.cer) format so it can be successfully imported into a PSE.


Sometimes the Certificate Authorities provide the signed certificates in a .p7b file (i.e. the root, intermediates and response certificates). Since it is not possible to import the .p7b file into a PSE in /STRUST, you need to convert them to a Base64 (.cer) or a Binary (.crt) format. This guide explains how you can easily convert them to Base64 (.cer) format.

Converting the certificates

            1. Open the .p7b file (“cert.p7b”, for example) and go to the certificates. As mentioned, it should have the root, intermediates and response certificates:

            2. Then, double click on the first certificate (“ Software CA”, for example) and go to the details tab:

            3. Click on the “Copy to File…” button. Then, click  the “Next >” button and select “Base-64 encoded X.509 (.CER)” option:

            4. After that, click the “Next >” button and select the path and file name to the converted file. Please, notice that it should have the .cer extension.

            5. Finish the conversion by click on the “Finish” button. You should receive the following pop-up:

Importing the certificate response into a PSE via /STRUST

In order to successfully import the certificates into a PSE (via /STRUST), you need to merge the full path of certificates into one. To do that:

            1. First you need to convert each certificate (steps 1 to 5 from the previous section);

            2. Open each certificate (in a text editor), copy them and paste into a unique file. The unique file should contains, for example:

                                                          BEGIN CERTIFICATE
                                                          <encrypted part of the actual certificate response>
                                                          END CERTIFICATE
                                                          BEGIN CERTIFICATE
                                                          <encrypted part of the CA ROOT certificate>
                                                          END CERTIFICATE
                                                          BEGIN CERTIFICATE
                                                          <encrypted part of the CA intermediate certificate(if it exists)>
                                                          END CERTIFICATE

                The sequence of the certificates should not matter.

            3. In /STRUST double click on the PSE you want to import the certificate response. Then, click on the “Import Cert. Response” button:

            4. At last, paste the content of the unique file and click on the OK button:

            5. The certificate response should have been successfully imported.  

Possible Errors

When trying to import the certificate response into a PSE, you may face the “Cannot import certificate response” (TRUST037) or “Issuer certificate missing in database” (TRUST057) errors:

            These errors can happen if:

            1. The certificate response is not valid to the PSE. The PSE must not be changed after generating the certificate request to it. When a PSE changes, it means that the unique key pair
                changes too. Therefore the certificate response will not match the new PSE key pair and becomes invalid;

            2. The certificate chain is not complete. Probably the root or an intermediate certificate is missing in the certificate chain (check SAP Note 508307 for further information). In that case,
                please also review the section “Importing the certificate response into a PSE via /STRUST” from this page.

Related Content

Related Documents

Related Notes

SAP Note 508307 : Trust Manager: Problems importing certificate responses

1 Comment

  1. Former Member

    Great info, thanks for sharing!