Digital certificates play a critical role in securing SAP systems—whether for HTTPs communication, SSO, Cloud Connector integration, or internal system‑to‑system traffic. As organizations scale, manual certificate renewal becomes error‑prone and difficult to manage.

This guide explains how to automate the entire lifecycle of SAP certificate monitoring, renewal, deployment, and validation using standard tools available on any SAP system. The approach is applicable to SAP ABAP, Java, HANA, Web Dispatcher, Content Server and Host Agent environments.

This blog will explain the overview and generic setup. The follow up blogs will describe:

• Certificate renewal for ABAP
• Certificate renewal for JAVA
• Certificate renewal for Linux

1. Overview

SAP Secure Login Server (SLS) is part of the SAP Single Sign-On product. This is a licensed product, for more information read OSS note 1876552 – License Requirement and Download of Single Sign-On 3.0 from the SAP Software Center. Within SSO, SLS serves as the central component for Certificate Lifecycle Management (CLM), enabling automated renewal of certificates used by:

• AS ABAP systems
• AS Java systems
• SAP Web Dispatcher
• SAP Host Agent
• Other SAP components requiring HTTPS or SSL

For automation, SAP SLS communicates with a PKI infrastructure. A widely used option is Microsoft NDES, which supports enrollment using the SCEP (Simple Certificate Enrollment Protocol).

This blog describes the configuration in the Secure Login Server and how to connect an AS ABAP as well as an AS Java. Configuring a Remote CA.

This blog assumes that you are familiar with the general Certificate Lifecycle Management process. Before setting up Certificate Lifecycle Management (CLM) with Secure Login Server (SLS), make sure the following requirements are met:

1.1 Secure Login Server Installed
You need a working installation of SAP Secure Login Server. SLS can run on any supported, modern SAP NetWeaver AS Java system. Read OSS note 3529951 – SAP Single Sign On 3.0 product compatibility for exact specifications.

1.2 Administrative Access
You need a user who can access the Secure Login Administration Console (SLAC) to configure CLM settings.

1.3. Supported SAP Releases
Your SAP systems must support the CLM client components:

The ABAP stack must be on a release level that includes CLM functionality
(SAP note 2452425 – Collective Note – SAP SSO Certificate Lifecycle Management for ABAP explains requirements). The Java stack must also meet the CLM prerequisites.

1.4. Required Authorizations

For configuration tasks, you need:

A user with SLAC_CERT_ADMIN/SLCLM_ADMIN/SLAC_SUPERADMIN or equivalent permissions in the Secure Login Administration Console.

2. Configuration of Destination (Connecting SLS to the PKI / NDES Server

(This step must be completed before creating certificate profiles)
Before defining any certificate profiles in Secure Login Server (SLS), you must configure a destination that allows SLS to communicate with your PKI infrastructure (typically Microsoft NDES). SLS uses this destination to forward CSR requests and to retrieve issued certificates, acting as a broker between SAP systems and the PKI server.
This is a mandatory step because without a properly configured destination, SLS cannot reach the PKI, and no certificate enrollment or renewal will work.

1. Open the Destinations Area in NWA
   In the SLS (AS Java) system:

Go to NetWeaver Administrator (NWA)
Navigate to:
Configuration → Infrastructure → Destinations

This area allows you to create HTTP/S destinations that SAP components use to reach external systems.

2. Create a New Destination
   Create a new destination dedicated to your PKI/NDES server.
   Recommended Naming Convention
   Use a name that reflects your PKI or environment (e.g.,):
   NDES_PROD
   NDES_QA
   PKI_SCEP

This improves clarity when assigning the destination later in SLS certificate profiles.

3. Configure Destination Type
   Set the destination type to: HTTP Destination, Since NDES SCEP endpoints are exposed over HTTPs, this ensures compatibility.

4. Enter the SCEP URL of the NDES Server
   In the Connection Information section, enter the full SCEP endpoint URL of your PKI/NDES server.
   For example (generic format):
   https://<ndes-hostname>/certsrv/mscep/

This URL points to the NDES SCEP service used for certificate enrollment.

5. (Optional) Configure Logon Data
   Depending on your PKI security configuration, you may need to configure:

Basic Authentication with a technical service account Certificates for mutual TLS.
No authentication if internal trust is used. This must align with your PKI design.

6. Test the Destination
   After configuring:

Click “Ping Destination”
Ensure the HTTP/HTTPs connection is successful
If the response is reachable, SLS can now communicate with NDES

Remark: even though HTTPs is configured, the success message still shows HTTP.

SLS relies on this destination for all CLM certificate operations.

7. Why this destination is critical
   This destination is used internally by SLS for:

Forwarding Certificate Signing Requests (CSR) to NDES
Receiving signed certificates
Validating enrollment responses
Triggering certificate renewals
Communicating over the SCEP protocol

Without this destination, all profiles (TLS, SNC, Client) and enrollment workflows will fail because SLS would have no path to the PKI infrastructure.

8. How It Fits Into the Overall CLM Workflow
   Once the destination is created:
   SAP System → SLS → (Destination) → NDES/PKI → CA → SLS → SAP System

3.1 Configuring Secure Login Server for CLM

Before you configure anything in the Secure Login Administration Console (SLAC), you must prepare SLS to accept certificate‑based authentication from SAP systems. This requires creating a dedicated logon stack.

The formal SAP help document link can be found here. The steps below describe the summary main steps with clarifying screen shots.

1. Create a Logon Stack in SLS

1.1 Create a Logon Stack in NWA

Begin by opening the NetWeaver Administrator (NWA) of the Secure Login Server and navigating to:

Configuration → Authentication and Single Sign‑On → Logon Stacks

Here you create a new logon stack. Choose a name that clearly indicates it is intended for CLM system authentication, such as Client_Cert_CLM

1.2 Steps to Create the Logon Stack

1. Open the NetWeaver Administrator (NWA) for SLS.
2. Navigate to:
   Configuration → Authentication and Single Sign‑On → Logon Stacks
3. Create a new logon stack with a name that clearly indicates it is intended for CLM client authentication (for example, CLM_ClientAuth).
4. Add a single login module to this stack:
   SecureLoginModuleUserDelegationWithSSL

**Configure the Three Key Attributes**
This module requires three important attributes that control how certificates are validated:
🔹 Rule1.subjectName

Used to filter acceptable certificate subjects using a regular expression.
If you set it to the wildcard pattern:
(.*)

it effectively accepts any subject. Even with the wildcard, the Common Name (CN) of the system certificate must still match one of the system entries you later configure in the Secure Login Administration Console (SLAC).

🔹 Rule1.issuerName

Controls which certificate issuers are allowed.
Typically also set to:
(.*)

This disables strict issuer filtering and allows any issuer that SLS already trusts through its root CA store.

🔹 UserMappingMode

Must be set to: VirtualUser

SAP systems do not exist as users in the UME. Therefore, SLS maps each system certificate to a virtual identity, and these identities are filtered and managed later in SLAC.

1.3. Purpose of the Logon Stack

This logon stack is used by every application profile in CLM.
It ensures that SAP systems can authenticate securely when requesting new or renewed certificates. This logon stack forms the authentication foundation for all certificate lifecycle operations in SLS. Every CLM application profile will reference it.
By configuring:

The SecureLoginModuleUserDelegationWithSSL module,
The subjectName and issuerName rules, and
Virtual user mapping

You ensure that:
✔ SAP systems authenticate themselves correctly via SSL client certificates
✔ Certificate enrollment and renewal requests are validated through the defined rules
✔ System‑to‑certificate mapping is handled through virtual identities (since systems do not exist in UME)
✔ CLM workflows function seamlessly from initial enrollment through automatic renewal
✔ Every SAP component—ABAP, Java, Web Dispatcher, Host Agent, HANA—can make use of this same logon stack This logon stack is therefore reused across all application profiles in CLM, ensuring consistency and secure handling of certificate requests throughout the entire SAP landscape.

1.4 Configuration of Certificate Profiles

After preparing the logon stack, the next step in setting up Certificate Lifecycle Management (CLM) is to define the certificate profiles inside the Secure Login Server (SLS). These profiles describe what type of certificates SAP systems should request and how SLS should communicate with the backend CA/NDES to obtain them.
Each certificate profile represents a specific certificate purpose (such as SNC or TLS) and includes the rules that control certificate enrollment, renewal, and template mapping.

The profiles are created via SLAC:

SLAC -> Profile management -> Authentication profiles -> Create

1. Registration Agent Profile (Used for Enrollment Requests)
   The first profile that must be created is the Registration Agent (RA) profile.
   This profile is responsible for handling initial certificate enrollment requests coming from SAP systems.
   It acts as the “front door” for: Receiving enrollment metadata from SAP components, forwarding Certificate Signing Requests (CSR) to NDES and Returning the signed certificate back to the SAP system. Every system type—ABAP, Java, HANA, Web Dispatcher, Host Agent—uses this RA profile during enrollment.

fill the required entry as per organization details. and CA for issuing certificates create PKI structure under certificate management

Create Certificate Profiles for Each Required Certificate Type

✔ Initial_TLS_Cert_SAN

Used for First‑Time SAN‑Based Enrollment & Renewal and This profile is required for the very first certificate issuance when: You are enrolling a system for the first time and want the initial certificate to follow SAN requirements (as enforced by modern PKI policies)

✔ SNC Certificate Profile

Used for systems that use Secure Network Communication (SNC) with X.509 certificates.

✔ TLS Server Certificate Profile

Disclaimer:
This page covers only the architecture and configuration required for SAP certificate automation.
For the full enrollment and renewal procedure, please refer to 👉 “SAP Certificate Enrollment & Renewal Automation Process” page dedicated to the operational workflow.