The Purpose of this page is to provide further information regarding how to convert the certificates from a .p7b file into Base64 (.cer) format so it can be successfully imported into a PSE.
Sometimes the Certificate Authorities provide the signed certificates in a .p7b file (i.e. the root, intermediates and response certificates). Since it is not possible to import the .p7b file into a PSE in /STRUST, you need to convert them to a Base64 (.cer) or a Binary (.crt) format. This guide explains how you can easily convert them to Base64 (.cer) format.
Converting the certificates
1. Open the .p7b file (“cert.p7b”, for example) and go to the certificates. As mentioned, it should have the root, intermediates and response certificates:
2. Then, double click on the first certificate (“mySAP.com Software CA”, for example) and go to the details tab:
3. Click on the “Copy to File…” button. Then, click the “Next >” button and select “Base-64 encoded X.509 (.CER)” option:
4. After that, click the “Next >” button and select the path and file name to the converted file. Please, notice that it should have the .cer extension.
5. Finish the conversion by click on the “Finish” button. You should receive the following pop-up:
Importing the certificate response into a PSE via /STRUST
In order to successfully import the certificates into a PSE (via /STRUST), you need to merge the full path of certificates into one. To do that:
1. First you need to convert each certificate (steps 1 to 5 from the previous section);
2. Open each certificate (in a text editor), copy them and paste into a unique file. The unique file should contains, for example:
<encrypted part of the actual certificate response>
<encrypted part of the CA ROOT certificate>
<encrypted part of the CA intermediate certificate(if it exists)>
The sequence of the certificates should not matter.
3. In /STRUST double click on the PSE you want to import the certificate response. Then, click on the “Import Cert. Response” button:
4. At last, paste the content of the unique file and click on the OK button:
5. The certificate response should have been successfully imported.
When trying to import the certificate response into a PSE, you may face the “Cannot import certificate response” (TRUST037) or “Issuer certificate missing in database” (TRUST057) errors:
These errors can happen if:
1. The certificate response is not valid to the PSE. The PSE must not be changed after generating the certificate request to it. When a PSE changes, it means that the unique key pair
changes too. Therefore the certificate response will not match the new PSE key pair and becomes invalid;
2. The certificate chain is not complete. Probably the root or an intermediate certificate is missing in the certificate chain (check SAP Note 508307 for further information). In that case,
please also review the section “Importing the certificate response into a PSE via /STRUST” from this page.
SAP Note 508307 : Trust Manager: Problems importing certificate responses