With version 70 of the Chrome browser is due for release in the year 2018 (beta version in September 2018 and stable version in October 2018). This version of the Chrome browser will distrust any Symantec-issued certificates prior to December 1, 2017, or from their old PKI infrastructure. Therefore, we are renewing the existing certificates prior to their schedule so that their replacements can be issued prior to the version 70 release of the Chrome browser. Once distrusted, users will be prevented from loading the affected resources. See Distrust of the Symantec PKI: Immediate action needed by site operators for more information.
This knowledge article will be used to consolidate and publish all SSL certificates with the tentative deployment date and public certificate download links. This article also contains an FAQ section with relevant information on this topic. We highly recommend you to read the FAQ section before reporting any tickets.
You will be affected if either of the below scenarios are applicable to you:
- Your Browsers does not have Digicert Certificates.
- You have an inbound communication integration to your BYD product.
The SSL certificates for your below URLs are scheduled to be updated with new CA vendor
Current CA Certificates:
VeriSign Class 3 Public Primary Certification Authority – G5
Symantec Class 3 Secure Server CA – G4
New CA Certificates:
DigiCert Global Root CA
DigiCert SHA2 Secure Server CA
Action for Customers/partners
If you consume any services under below mentioned URLs, please ensure that Digicert Root and Intermediate certificates are in the trust store of the calling client(Browser or System). You will be required to take this action before Friday – July 27th, 2018
We encourage you to bookmark this knowledge article. If you are not familiar with making the required changes, please notify your company’s internal IT department and request for the changes to be made as soon as possible.
Download new certificate
• Direct download – DigiCert Root and Intermediate Certificate.zip
Certificate Common Name
Tentative Deployment Date
What are these certificates used for?
These certificates are used for the SSL/TLS handshake that any system using the ‘secure’ protocol does before allowing connection to/from the system. In our case, SAP Business By Design uses the ‘secure’ HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs.
Are the new certificates known to modern web browsers?
DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients, therefore for browser scenarios there’s nothing to do. The same is true if one relies on the standard sapjvm trust list.
The CA root certificate is included in:
• SAP JVM patch level 8.1.035 or 7.1.054
• Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15
How do I know if I am impacted by the certificate renewal?
You will be impacted by the certificate renewal activity, only if:
- You are using our APIs and have some integration scenario setup for your instance.
- You are using some middleware (E.g: SAP HCI/PI/Boomi) for integration setup.
- The domain for which the certificate is being renewed is the same as the domain you are using to access/connect to your system.
How do I download or install the certificate?
You must have admin access to the server where you need to install the certificate. If you do not have access to your company’s SSL server, notify your IT team and provide them the respective certificate download link from the above table.
How to check the certificate in my browser trust list?
• Open Internet Explorer. • On the Tools menu, click Internet Options • Navigate to tab “content” • Click on Certificates button.
• And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root CA”.
• Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert SHA2 Secure Server CA”.
• If the certificate is not present, please proceed with steps mentioned under: “How to import certificate into my browser?”
How to import the certificate into my browser?
• Open Internet Explorer.
• On the Tools menu, click Internet Options.
• On the Security tab, click “Custom Level” to open the Security Settings dialog box.
• Under “Reset custom settings”, select Medium in the “Reset to” box. Click OK to close the Security Settings dialog box.
Note: Certificates cannot be installed when the security setting is set to High.
• Navigate to tab “Content”
• Click on Certificates button.
• Go to tab “Trusted root certification Authorities” list and Import attached Digi Certificates using “Import” button at bottom.
• Ensure that “DigiCert Root and Intermediate” is added in the list.
What are the consequences if customer/partner doesn’t act on this?
Integrations to all the aforesaid are bound to break if the actions suggested are not taken before Jul 27, 2018.
What if the customer/partner does not use any of the listed scenarios?(i.e.: Your browser have DigiCert certificates already in the trust store, No Inbound integration scenario to Cloud for Customer)
Customer/Partner doesn’t have to take any action at their side.
I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate?
Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date.
Is this change disruptive?
Yes, the change is disruptive. However, the change schedule falls under SAP standard regular maintenance window.