Skip to Content
Former Member
Oct 08, 2012 at 12:25 PM

expiration of x.509 certificates


I followed the SAP documentation to setup authentication using x.509 certificates

which worked....

The user certificate imported into SAP (table USREXTID) has subsequently expired.

A new user certificate was acquired and imported into the users

browser, but NOT into SAP.

The issue is that, without having to update SAP, the user can

successfully authenticate to SAP again using the new certificate.

Therefore SAP is not distinguishing between the old expired certificate

and the new certificate.

This creates a huge security issue. If the device containing the

certificate is lost (for example) the certificate would be revoked.

However once the user has a new device and is issued with a new

certificate the old device would also be able to successfully logon to


The steps in short are;

1. Issue certificate to user

2. Load into USREXTID using SM31

3. Expire/revoke the certificate

4. Issue user with new certificate

5. test logon - logon SUCCEEDS, the logon should FAIL (because the new

certificate is not loaded into USREXTID)

We need to be able to ensure that only the current, valid certificate

allows access to SAP. Can this be achieved?

The way that this is currently working means that we would have to

change the users DN every time a new certificate is issued, surely this can't be the case?