Page tree
Skip to end of metadata
Go to start of metadata

Applies to:

SAP Netweaver PI based OFTP Adapters


The following sections briefly describe the steps to create test OFTP key pairs with an unsupported 3rd party tool. Since OFTP keys needs to be created with extended key usage types like non repudiation, the NWA key storage can't be used.


Sivasubramaniam Arunachalam

Company: SAP Labs
Created on: 05-Apr-2012
Author(s) Bio
Sivasubramaniam Arunachalam is a senior developer at SAP Labs (Technology Innovation Platform). He is currently occupied with PI 7.31 development/maintenance activities. Since Sivasubramaniam joined SAP Labs in July 2010, he has developed new features in several adapters/areas including File, JDBC, IDoc, SOAP/XI, HTTP, JPR, B2B(RNIF 1.1/2.0, CIDX & PIDX) Adapters, XML Validation and Mapping Runtime. Currently, he is the component responsible for File, JDBC, B2B Adapters and XML Validation and takes care of all new development, enhancement and maintenance activities.

Table of Contents

Tools Required

  • Java based 3rd Party Certification Generation Tool

Keys to be Generated

  • Root Certificate
    • Private Key (.p12)
    • Public Key (.cer)
  • Intermediate Certificate (Trusted by Root Certificate)
    • Private Key (.p12)
    • Public Key (.cer)
  • Server Certificates (Trusted by Intermediate Certificate)
    • Private Key (.p12)
    • Public Key (.cer)

Test Key Generation Tool

Disclaimer: This attached tool is untrusted. Please use it n your own risk.

You can download the tool from here

To run this tool, JRE is required.

You can launch the tool with the following command.

# java -jar "OFTP Test Certificate Generator.jar"

Create Root Certificate

  1. Since Root Certificate doesn't have issuer, Select the "Self Signed" Option.
  2. Enter the following details in the "Subject" Section
    1. CN = "Root CA"
    2. C = "DE" (2 Digit Country Code)
  3. Select the "Basic Constraints" and update the "Maximum Path Length" as "99".
  4. Serial = 001
  5. Key Strength = 2048 (It can vary depends on the business need)
  6. Enter the "Password" for private key to be created
  7. Select the "Key Usage" and Click on "Change".
  8. Choose all the options
  9. Select the "Extended Key Usage" and Click on "Change".
  10. Choose all the options
  11. Click on "Create CRT & P12"
  12. Save both the Private key and Certificate of "Root CA"

Create Intermediate Certificate (From Root Certificate)

  1. In the same window, Deselect the "Self Signed"
  2. Browse and choose the private key of "Root CA"
  3. Enter the password
  4. Enter "Intermediate CA" for Subject's "CN" field
  5. Select the "Basic Constraints" and Update the Maximum Path Length to "50"
  6. Serial should be 002
  7. Make sure that all the options in the "Key Usage" and "Extended Key Usage" are selected
  8. Click on "Create CRT & P12"
  9. Save both the Private key and Certificate of "Intermediate CA"

Creating Key Pairs for a Business Partner(Party)

  1. Next, Key Pairs for each partnter can be created from "Intermediate CA"
  2. Browse and choose the private key of "Intermediate CA"
  3. Enter the host name which represents the business partner(party) in the Subject's "CN" field
  4. Select the "Basic Constraints" and Update the Maximum Path Length to "0"
  5. Serial should be greater than 002 and incremental & unique for each key pairs
  6. Make sure that all the options in the "key usage" and "Extended Key usage" are selected
  7. Click on "Create CRT & P12"
  8. Save both the Private key and Certificate of a business partner
  • The above steps can be repeated for another business partner
  • These keys can be used for both SSL Authentication and CMS Features


  1. Former Member

    Hi Sivasubramaniam ,

    This is of great help , but the sapmat link expired ,is it possible that you upload the certification generator again ?

    Thanks a lot!

  2. As the download link for the certificate generator is down, does anybody have an alternative link?

  3. Has anyone been able to get the updated link for this?

  4. Former Member

    Hi Guys,

       Does anyone have any updates on the link to download the tool?

       Can we use java jre keytool for the same purpose?

       I am stuck right now on the tutorial.


  5. Hi All,

    The link has been updated.



  6. Former Member

    Hi Shankar,

       Thanks for the feedback.

       The link now works but the tool is not usable.

       The button to trigger the generation (that is: Create CRT & P12) is not visible or hidden; this button is no where to be found on GUI.

       Note: I have run the tool on both Windows 64 bit and Mac OS x; it is same result.

       Kindly help take a second look at it.







  7. Former Member

    Hi All,

        Issue has been resolved.

        Button is actually available; i had to hide my Task Bar (on windows) for the button to be visible on the tool.

        Everything worked.







  8. Former Member

    Hi All
    Cant download this tool. Access to share has expired.

    Can anybody share with me this tool?

  9. The share has been enabled - new validity is till Nov 29, 2016, 11:32 AM

  10. Hello,

    Could you please share the tool again?When  click the link, the below message is given:


    "Share is no longer available; contact the owner if you need access"


    Nurhan Özcan

  11. Share re-enabled: new validity till Jul 4, 2017 (90 days from now)

    1. Thank you Vishnu,


    2. Hello Vishnu,

      The button is not available.(Create CRT & P12). Could you please help?

      Thank you,


      1. The application is not dynamic, you may need to resize it to see the buttons.

  12. Hello,
    it seems the tool is quite helpful. Unfortunately the file is offline at the moment.
    Could you please share it again?


    1. Updated, new expiry Dec 20, 2017.

  13. Share link updated: new expiry Jun 2, 2019.

  14. Hi Vishnu Prasad Kcould the link be updated again please if possible? I am trying to configure and OFTP2 scenario and need to generate the keys as described in this blog (mainly root and intermediate) but I am struggling without the link to the Java Test Key Generation Tool. Please let me know.


    1. Hi David King,

      Thank you very much for your interest.

      I have now added it as part of this document itself which does not have any expiry.

      Please let me know if you have any issues accessing it.



      1. Hi again Vishnu Prasad Kmany thanks for this, much appreciated

        In our scenario, we have agreed that we would connect to our partner and pull (poll protocol) the files (rather than them pushing the files to us).

        Therefore, I assume I will have to provide our partner with a public key.

        In this scenario - do I need to create 2 sets of partner keys i.e. partner 1 (own keys) and partner 2 (partner keys)? Or just the one set of certs for our relationship - OWN_KEYS storing the private key and PARTNER_KEYS storing the public key - which I will then send to the partner in .pem format).

        What do you think?

        Again, all help and advice much appreciated. This is the first time we are using PO to do a direct connection.



        1. Hi David,

          OWN_KEYS should be private. So you need to create only one set for yourself and provide the public key to partner. Partner should provide their own public key.

          We should not generate it for them.



      2. Hi Vishnu Prasad K, I had no issues accessing it and thanks for your subsequent comments.

        I have been able to access the tool and generate the keys as per the blog. Works a treat - thanks.

        However...I have one last question! The keys generated use Signature Algorithm sha1WithRSAEncryption, while it appears I need the keys to use Signature Algorithm sha256WithRSAEncryption

        Is there an option in the OFTP Test Certificate Generator where the sig algo can be set?

        Thanks again for your help with this.


        1. Hi David,

          I just checked an it indeed does generate the keys with Signature Algorithm: SHA1WithRSAEncryption

          This tool is in maintenance mode and we do not have a way to provide this as a configurable option. You will need to generate this all by yourself or please create a ticket on BC-XI-CON-B2B-OFT.

          The right team will support you.