Destination Certificates

Overview

The SAP BTP Destination service provides a central place to define and manage outbound connections from applications running on SAP BTP to remote systems and services. Destinations can include connection details, authentication configuration, proxy settings, and certificates used for secure communication.

The Destination service also supports certificate management for destinations, including uploaded client certificates, trusted certificates, CA certificates, and certificates used for mTLS/client-certificate authentication. SAP notes that uploaded certificates can be accessible through REST APIs, including private certificate material where applicable, so API access should be restricted carefully.  

The PowerConnect Cloud agent collects certificate metadata from the SAP BTP Destination service Certificates API to help monitor certificate inventory, validity, expiry, and usage across SAP BTP environments.

Data Collected

Destination service certificate inventory

Certificate name / alias

Certificate type

Certificate subject

Certificate issuer

Certificate serial number

Certificate fingerprint

Certificate validity start date

Certificate expiry date

Days until expiry

Certificate status

Associated destination information, where available

Certificate metadata and tags, where available

APIs Used

SAP BTP Destination Service Certificates API

SAP BTP Destination Service REST API

OAuth client credentials / service binding credentials for API access

Status

Generally Available

Configuration

Get API User Details

PowerConnect Cloud requires access to the SAP BTP Destination service API to extract certificate information. The most secure way to do this is to create or use a service binding / service key for the SAP Destination service instance in your SAP BTP tenancy.

To do this, follow the steps below for your environment:

1. Login to the SAP BTP Cockpit.

2. Navigate to your subaccount.

3. Under Services → Instances and Subscriptions, find your Destination service instance.

4. Open the service instance and create or view the service binding / service key credentials.

5. Note down the following values:

   • uri or url

   • clientid

   • clientsecret

   • identityzone

   • uaadomain

   • url / certurl, if present

Depending on the service plan and credential type, the credential structure may differ slightly. Some bindings may also contain certificate-based authentication fields instead of, or in addition to, a client secret. SAP Cloud SDK documentation notes that SAP BTP service bindings may support X.509-based credentials for services including Destination service.  

Adding the Destination Certificates Input to PowerConnect Cloud

1. Login to the PowerConnect Cloud web UI.

2. Click on the Inputs link in the menu bar.

3. Click the + button to add a new Input.

4. Choose certificates-cf under BTP Platform.

5. Fill in the details on the form using the API authentication values from the step above.

6. Fill in the System ID.

   The System ID maps to the source field in Splunk/Dynatrace and is used by dashboards to group related system events.

7. Choose the Splunk output you wish to send the Destination certificate data to.

8. Click Save.

The Input is now created.

Configuration Options