IMPORTANT: Migration from SHA-1 to SHA-2 Certificate
If you are an existing SAP Cloud for Customer customer, your official contact in the Service Center Work Center received an email with the same information described in this document.
Due to the global announcement of SHA-1 certificate deprecation plans and migration to SHA-2 for better security, our current SSL server certificates will be re-issued against SHA-2 Signature Hash Algorithm from a new certificate authority (Baltimore Cybertrust Root).
For modern end user browsers, this should not have an impact. For system integration (for example C4C integration to SAP ERP), please use the link below to ensure the integration does not experience any disruption. The link includes the new SSL server certificate and instructions.
https://mdocs.sap.com/mcm/public/v1/open?shr=o3Kh1YLgozz0CMcjanSHyPKKckGibsYHEJdd_1Kf3y0
Hi Ginger,
The new SSL server certificate from the link should be in SHA-1 or SHA-2 format? The reason I asked, is because the new SSL server certificate from the given link is still having the same certificate details I had since January. Is the SHA-2 will only be effective from August 15th, 2015 onward?
We are using the same certificate for C4C integration to SAP CRM.
Regards,
Aiivenn
@Ginger Gatling as stated in the previous commet the link you provided points to a certificates using SHA-1 and not SHA-2. Is it the right certificate ?
Thanks a lot,
Francesco
Hi Ginger
I had a look, and the certificate provided for download is still SHA1-encrypted. Are there any news on whether this is the certificate we should install? It's different from the current one in our tenant (which is GTE CyberTrust and valid until April 2017) but it's still SHA1.
Thanks and regards
Matt
Hi Matthias
I have forwarded this to the right folks to answer.
Zareh Vazquez, Guru Shetti - can you help?
-ginger
Here is the answer from Guru:
We are aware that the Baltimore Root CA is SHA1.
"The signature algorithm of a root certificate basically doesn’t matter at all. The only part of a root certificate that is relevant during a certificate check is its public key, because this is the one that is used for checking the signature of the intermediate CA certificates. The integrity and validity of the root certificated is postulated as given (e.g. by including it into a client’s trust list):
The hashing algorithm used in the signature is only important for those certificates whose signatures need to be checked during the TLS handshake, and these are only the leaf and the intermediate certificates."
To summarise "SHA-1 based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash”.
Hi Ginger
Thanks for the quick follow-up. This makes sense. So the new crm.ondemand.com wildcard certificate and the intermediate certificate above it will be replaced with certificates using an SHA2-encrypted hash (see my screenshot of current certificate chain below).
One more question, though (sorry): Will the users need to update their mobile applications (iPad, Windows 8) on the day of the certificate update or have the new root certificates already been supplied with one of the recent app updates? Or, if the apps use certificate pinning, do they have both the old and the new *.crm.ondemand.com certificate included?
Thanks again,
Matt
Guru Shetti - can you help here?
Hello Matthias,
The new Baltimore CA certificates are already available within the mobile OS (iOS and Win 8). Therefore no update of the apps are needed.
Thanks,
Guru
Hi Ginger Gatling, this change in teh certificate will be effective from august 15 as the information we have, my managers want to know if we can perform any kind of test between PI and C4C in our TST tenant before august 15th.
Im not sure it is possible since as i understand the change will be effective for all tenants on augus 15th but could you please confirm?
other question i have is if we should replace the certificate, or adding it will be enough.
i appreciate your comments.
Regards.
Mario Contle.
i just got information abut this, Adding the Baltimore Cybertrust root is sufficient. No need to replace.
and because this is effectively a data center change , we can´t test in our test tenant first.
Regards.
Mario.
Good one Ginger. Thanks for sharing
Regards
Harish
Hi Ginger,
The link for "new SSL server certificate and instructions" does not show any shared documents? Can you please advice?
Kind Regards
Saima
Hi Ginger,
The link shared is no longer available, do you have an updated link?
Kind regards,
Kim