SAP Business One B1i SSL Integration Installation (Details)

See my video on the B1i installation process including my AutoSSL tool by clicking here.

Main SAP Note 2019275 (click for link)
NOTE: This article has been adapted from the main SAP note and expanded upon based on several installations.


  1. You need to have B1i installed
  2. You need the current .keystore password located at: C:\Program Files (x86)\SAP\SAP Business One Integration\IntegrationServer\Tomcat\conf\server.xml
  3. Search the XML document for the keystorePass attribute. Default that I have observed has been sapB1iP
  4. You need a domain name associated with your raw IP address. IE, as an example. This must resolve to their static IP address with an A record in the subdomains DNS.

Initialize OpenSSL

  1. Go to:
  2. Download and install Visual C++ 2008 Redistributables (x64)
  3. Download and install Win64 OpenSSL v1.0.2d Light
  4. Install everything with default settings
  5. Start Run and run “cmd /admin” or manually run Command Prompt as Administrator. This is critical because it will give you various failed RND errors especially on Server 2012
  6. Navigate to C:\OpenSSL-Win64\bin
  7. Enter:
    set OPENSSL_CONF=c:\openssl-win64\bin\openssl.cfg


  8. WARNING Carefully inspect your CMD outputs when entering the code below. If at any point you see the term “Unable to write ‘random state'” then you need to enter the following:

    set RANDFILE=.rnd


(NOTE: View these screenshots to see what a successful command completion looks like, some of the commands do not produce a positive confirmation, they simply advance to the next line. After a series of commands, these screenshots will show you what the result should be.)

Create Root Server Certificate

(Keep in mind you can copy and paste these into the command prompt, but you have to click the icon in the upper left, Edit >> Paste. CTRL + V will NOT work!)

Anything highlighted in YELLOW needs to be modified, everything else you can leave the same.

  1. Enter:
    openssl genrsa -out ServerKey.key 1024


  2. Enter:
    openssl req -new -x509 -key ServerKey.key -out myCA.cer -days 3650 -subj /CN="custom_CA_name"


  3. custom_CA_name can be whatever you want and shows up later when installing on the mobile devices as the profile name.

Create Self-Signed Certificate for Domain

  1. Enter:
    openssl genrsa -out ClientKey.key 1024


  2. Enter:
    openssl req -new -key ClientKey.key -out CertReq.csr -subj /CN="server_domain_name"
  3. server_domain_name must be your subdomain which was created in Prerequisites step #4. Something like You will eventually feed this back to your mobile app using the server (or whatever your SSL port is). This can simply be your IP address ( for example, NO PORT IS REQUIRED for this step just the IP address) as well and does not need to have the HTTP:// or HTTPS:// in front of it. (*Special thanks to Heath Gardner for testing the IP address theory and verifying that it works.)


  4. Enter:
    openssl x509 -req -days 3650 -in CertReq.csr -CA myCA.cer -CAkey ServerKey.key -CAcreateserial -out ClientCert.crt


Deploy the Certificate

  1. Enter:
    openssl pkcs12 -export -inkey ClientKey.key -in ClientCert.crt -out keystore.pkcs12
  2. You will be prompted to enter a password, which will be the password from Prerequisites step #2-3 (should be sapB1iP). You will enter the password, but you will not see anything in the command prompt, this is NORMAL. You will have to confirm and you will also see nothing when typing the confirmation password, this again is normal.


  3. Manually copy (using regular File Explorer) the file C:\OpenSSL-Win64\bin\keystore.keystore.pkcs12 to C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/
  4. In command prompt, change directory to C:\Program Files (x86)\SAP\SAP Business One Integration\IntegrationServer\Tomcat
  5. NOTE: the next step might vary depending on your Windows Server version. I have observed different behaviours.
  6. Enter:
  7. Push Enter
  8. If the file is found and you see the help then follow the next steps, if the file is NOT found then go to “Deploy the Certificate (Option #2). If the file is found, then continue with the next steps.
  9. NOTE: See screenshot after step 16 for successful confirmation prompts.
  10. Enter:
    keytool -delete -alias tomcat -keystore ./webapps/B1iXcellerator/.keystore -storepass sapB1iP
  11. Use your password from Prerequisites step #2. Likely to be sapB1iP.
  12. Enter:
    keytool -importkeystore -srckeystore ./webapps/B1iXcellerator/keystore.pkcs12 -srcstoretype PKCS12 -destkeystore ./webapps/B1iXcellerator/.keystore -deststoretype JKS -deststorepass sapB1iP -srcstorepass sapB1iP
  13. Use your password from Prerequisites step #2. Likely to be sapB1iP.
  14. Enter:
    keytool -changealias -alias 1 -destalias tomcat -keystore ./webapps/B1iXcellerator/.keystore -storepass sapB1iP
  15. Use your password from Prerequisites step #2. Likely to be sapB1iP.
  16. All steps should be successful at this point:


Deploy the Certificate (Option #2)

  1. If you do not find keytool installed in the environmental variables we have to manually run the program from the exe directory and declare our keystore files with their whole drive paths as follows.
  2. In command prompt, change directory to C:\Program Files (x86)\SAP\SAP Business One Integration\sapjre_7_64\jre\bin
  3. This directory is where the keytool exists so we need to run the following from here. To confirm you have the right directory, in the command prompt enter: keytool and push enter and you should see a help prompt. This means you have the correct directory.
  4. NOTE: See screenshot after step 10 for successful confirmation prompts.
  5. Enter:
    keytool -delete -alias tomcat -keystore "C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.keystore" -storepass sapB1iP
  6. Use your password from Prerequisites step #2. Likely to be sapB1iP.
  7. Enter:
    keytool -importkeystore -srckeystore "C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/keystore.pkcs12" -srcstoretype PKCS12 -destkeystore "C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.keystore" -deststoretype JKS -deststorepass sapB1iP -srcstorepass sapB1iP
  8. Use your password from Prerequisites step #2. Likely to be sapB1iP.
  9. Enter:
    keytool -changealias -alias 1 -destalias tomcat -keystore "C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.keystore" -storepass sapB1iP
  10. Use your password from Prerequisites step #2. Likely to be sapB1iP


Restart B1i Server

  1. Find the “Run” prompt
  2. Enter
  3. Shut down SAP Business One Integration Service, SAP Business One EventSender Service, SAP Business One DI Proxy Service, SAP Business One DI Proxy Service Monitor. Shut them down in that order.
  4. Start them up in the same order you shut them down.

Installing on Your Devices

Procedure for iOS devices

  1. Email C:\OpenSSL-Win64\Bin\myCA.cer file to the iOS device
  2. NOTE: The certificate file will most likely not be visible in your mail client (Outlook, etc.), you have to send it unzipped to the mobile devices where it will be visible to install.
  3. Click the email attachment to install the CA into the system

Procedure for Android devices

  1. Copy the C:\OpenSSL-Win64\Bin\myCA.cer file via a microSD card onto the Android device
  2. Install the file via Settings -> Security -> Credential Storage and selecting “Install from storage” and follow the prompts


You should now be able to login using your mobile app. This procedure should add a little bit more detail from the basic SAP note. Please let me know if you have any other questions. Thank you!

24 thoughts on “SAP Business One B1i SSL Integration Installation (Details)”

  1. Hi i both a certificate from godaddy but i can’t make it work. Do you have procedure to import the 3 keys i received from them the 3 keys are root, intermed and domain.


  2. I am having issue with Install Dashboard it keeps on giving error message that Integrated Services is not running

    I am using SQL 2014 and WIn server 2012

  3. Hi, If I want to make an internal connection from my iPad to my local machine, what would my “Customer_CA_Name” be?

  4. When sending the certificate to my ios device it comes through as a .dat file is there something im doing wrong

  5. We are have followed all the steps and installed certificates in Android Mobiles but getting error as connection failed pls help

  6. Hi Mike,
    I have run into with such problem. When I wanted to run
    keytool -delete -alias tomcat -keystore “C:/Program Files (x86)/SAP/SAP Business One Integration/IntegrationServer/Tomcat/webapps/B1iXcellerator/.keystore” -storepass sapB1iP
    command the problem was shown:
    keytool error: java.lang.Exception: Alias does not exist
    i have checked in path C:\Program Files\Java\jre1.8.0_112\bin also.

  7. Hi Mike,

    When I tried to Convert PKCS1 keystore into Java keystore, I am getting this error-“keytool error: PKCS1 not found”.

    C:\Program Files (x86)\sap\SAP Business One Integration\sapjre_64\bin>keytool -i
    mportkeystore -srckeystore “C:\Program Files (x86)\sap\SAP Business One Integrat
    ion\IntegrationServer\Tomcat\webapps\B1iXcellerator\keystore.pkcs1” -srcstoretyp
    e pkcs1 -destkeystore “C:\Program Files (x86)\SAP\SAP Business One Integration\I
    ntegrationServer\Tomcat\webapps\B1iXcellerator\.keystore” -deststoretype JKS -de
    ststorepass sapB1iP -srcstorepass sapB1iP
    keytool error: PKCS1 not found

    C:\Program Files (x86)\sap\SAP Business One Integration\sapjre_64\bin>

    Please help me out!!!


    • Hey Abhi, could be the curly quotes around your code there. As a best practice you can paste the code into a text editor and switch the quotes from “ to “. The first are “curly” quotes in rich text format and this will throw things off. You need them to be simple ” quotes. You could also check out my YouTube video about B1i installation and SSL creation and download my AutoSSL tool which will do the whole process for you. See that here:

  8. Thanks, Mike

    But after SSL creation & installation onto mobile successfully now it’s throwing me error as “To gain Access, contact your system administrator and supply the following information: Company, User, Phone, DeviceID ” even after updating the same details in my SAP B1 client.


Leave a Comment