How to fix SAP error SCLNT_HTTP421?

What causes this issue? The SSL certificate for the server is not known as trusted in the PSE file.System Response The system issues an error message and will not allow you to continue with this transaction until the error is resolved. How to fix this error? If the SSL certificate for the server is to be made trusted, it must be included in the list of trusted certificates in the PSE file. This can be done by executing transaction STRUST.Procedure for System Administrators Error message extract from SAP system. Copyright SAP SE.

How To Fix SCLNT_HTTP421 - SSL certificate not trusted (ICM_HTTP_SSL_PEER_CERT_UNTRUSTED)

Instant Help Get instant SAP help. Start your 7-day free trial now.

SAP Error Message - Details

Message type: E = Error
Message class: SCLNT_HTTP - Messages for HTTP Client for Respective Error Code
Message number: 421
Message text: SSL certificate not trusted (ICM_HTTP_SSL_PEER_CERT_UNTRUSTED)
Show details Hide details
What causes this issue?
The SSL certificate for the server is not known as trusted in the PSE
file.
System Response
The system issues an error message and will not allow you to continue with this transaction until the error is resolved.
How to fix this error?
If the SSL certificate for the server is to be made trusted, it must be
included in the list of trusted certificates in the PSE file. This can
be done by executing transaction STRUST.
Procedure for System Administrators

Error message extract from SAP system. Copyright SAP SE.

Smart SAP Assistant

What is the cause and solution for SAP error message SCLNT_HTTP421 - SSL certificate not trusted (ICM_HTTP_SSL_PEER_CERT_UNTRUSTED) ?

The SAP error message SCLNT_HTTP421 SSL certificate not trusted (ICM_HTTP_SSL_PEER_CERT_UNTRUSTED) indicates that the SSL certificate presented by the server is not trusted by the SAP system. This typically occurs when the certificate is self-signed, expired, or not issued by a trusted Certificate Authority (CA).

Causes:

Self-Signed Certificate: The server is using a self-signed SSL certificate that is not recognized by the SAP system.
Expired Certificate: The SSL certificate has expired and is no longer valid.
Untrusted CA: The certificate is issued by a CA that is not included in the trusted root CA store of the SAP system.
Intermediate Certificates Missing: The server may not be providing the full certificate chain, leading to trust issues.
Incorrect Hostname: The hostname in the certificate does not match the hostname being accessed.

Solutions:

Import the Certificate:
- If the certificate is self-signed or from an untrusted CA, you can import the certificate into the SAP system's trust store.
- Use transaction STRUST in the SAP GUI to manage SSL certificates.
- Follow these steps:
  - Open transaction STRUST.
  - Select the appropriate SSL client or server SSL settings.
  - Import the certificate by clicking on the "Import" button and selecting the certificate file.
  - Save the changes.
Check Certificate Validity:
- Ensure that the SSL certificate is valid and not expired. If it is expired, you will need to renew it.
Verify Certificate Chain:
- Ensure that the server is providing the complete certificate chain, including any intermediate certificates. If not, you may need to configure the server to send the full chain.
Update Trusted CA List:
- If the certificate is from a CA that is not trusted, consider adding the CA's root certificate to the SAP system's trust store.
Hostname Verification:
- Ensure that the hostname in the URL matches the Common Name (CN) or Subject Alternative Name (SAN) in the SSL certificate.
Check SAP Notes:
- Look for relevant SAP Notes that may provide additional guidance or patches related to SSL issues.

Related Information:

Transaction STRUST: This transaction is used to manage SSL certificates in SAP systems.
SSL Configuration: Ensure that the SSL configuration in the SAP system is correctly set up to handle secure connections.
Network Configuration: Check firewall and network settings to ensure that they are not interfering with SSL connections.
Documentation: Refer to SAP documentation for detailed steps on SSL configuration and certificate management.

By following these steps, you should be able to resolve the SCLNT_HTTP421 error and establish a trusted SSL connection.

Instant Help Get instant SAP help. Start your 7-day free trial now.

Related SAP Error Messages

Click the links below to see the following related messages:

SCLNT_HTTP420 SSL Server Certificate has expired (ICM_HTTP_SSL_PEER_CERT_EXPIRED)
What causes this issue? The SSL certificate for the server has expired or is not yet valid.System Response The system issues an error message and wi...
SCLNT_HTTP419 SSL is not initialized (ICM_HTTP_SSL_NOT_INITIALIZED)
What causes this issue? SSL has not been initialized correctly.System Response The system issues an error message and will not allow you to continue...
SCLNT_HTTP422 Timeout for connection to HTTP proxy (ICM_HTTP_PROXY_TIMEOUT)
Self-Explanatory Message Since SAP believes that this specific error message is 'self-explanatory,' no more information has been given.The majority of...
SCLNT_HTTP423 Connection to HTTP proxy canceled (ICM_HTTP_PROXY_CONN_CLOSED)
Self-Explanatory Message Since SAP believes that this specific error message is 'self-explanatory,' no more information has been given.The majority of...

Click on this link to search all SAP messages.

ERPlingo simplifies finding the accurate answers to SAP message errors. I now use every week. A must have tool for anyone working with SAP! Highly recommended!

Kent Bettisworth
Executive SAP Consultant