Skip to Content
Product Information
Author's profile photo Arun Senthil Kumar

All about Tenant Certificate renewal in SAP Cloud for Customer

In this blog-post, you will understand the activities involved in the renewal of a Tenant Certificate and how to get notified in advance about the expiry of the tenant certificate,

The tenant certificate is used to authenticate a call from a Tenant(Cloud for Customer client) to a Server(CPI/PI).
The tenant certificate is renewed once per year. This is a standard renewal process and cannot be disabled.

Where can I find my tenant certificate?

Tenant Certificate can be viewed/downloaded from the below path in Cloud for Customer tenant.

  1. Work center: Administrator
  2. Workcenter View: Common Tasks
  3. Click on Edit Certificate Trust List
  4. On the right-hand side, click on “View tenant Certificate


or

  1. Work center: Administrator
  2. Workcenter View: General Settings
  3. Click on Communication Arrangements
  4. Open any Outbound communication arrangement
  5. Click on View All
  6. Go to Technica data facet
  7. Under Outbound Communications: Basic Settings, On Certificate field, make sure that you have set it to “SAP Business ByDesign System Key Pair”
  8. Click on download
  9. Save it locally

How can I check the validity of the certificate?

You can open the certificate downloaded from the previous step and check the validity

You can also view the validity by viewing the certificate from the below path

Administrator WC=> Common Tasks => Edit Certificate Trust List => View Tenant Certificate

 

Note: You can notice that the messages from C4C to your external system start to fail with ‘Unathorized(401)’ errors if the validity of the certificate has expired already.

 

What actions should I have to perform to renew and after the renewal of the tenant certificate?

Actions need to be taken in C4C as well as the middleware(CPI). First, we will see what actions are required in C4C

You can notice that there is an option to renew the tenant certificate on the above image on the top right. You will be able to renew your tenant certificate by clicking on that button.

You can only renew the certificate if the validity will expire in the next 92 days.
Else you will get the error message

“Certificate can not be renewed. Certificate Validity is more than 92 days.”

There are no other actions from the C4C side, now the certificate has to be uploaded to the middleware. In the case of CPI as middleware

If Client Certificate-based authentication is used in the Iflows , then the certificate needs to be uploaded into all the Iflows where C4C is the sender. You can open the Iflow and click on configure to update the sender channel configuration. You can select and upload the Certificate downloaded as a part of the above steps and deploy the Iflow.

Note that this action has to be performed in each Iflow where C4C is the sender and hence it is advisable to use a User to Certificate mapping.

In the case of User to Certificate mapping, the certificate needs to be uploaded only inside the mapping and the Iflows can remain untouched. If it is used follow the below steps

  1. Go to Operations view of CPI
  2. Under “Manage Security”, Select the tile “Certificate-to-User Mappings”
  3. Select the Integration user of CPI
  4. Edit the mapping
  5. Upload the certificate from theabove steps
  6. Click on OK

 

That’s all the actions you need to take for completing the renewal process.

These actions have to perform on non-productive hours to avoid any unnecessary interruption in the data flow.

 

How can I get notified about the expiry of my tenant certificate?

To get a notification, first, you need to Scope the Business Task Management in the below path

In the next step, scope the question

Do you want to use e-mail to notify business users about Business Task Management items?

Once the above question is scoped and activated, Open the Fine tuning activity

“Business Task Management for User and Access Management”

Check the below tasks and “Save and Close” the Activity.

These notifications will be sent to all the Key users of the tenant.
The notification “Tenant Certificate is going to expire soon” can be seen under the bell Icon

If you wish to receive an email for the same, you have to manually subscribe to this notification using the above-highlighted  “Subscribe to Email” action.

SAP has a background job that keeps a check on the validity period of the tenant certificate. This job runs at the start of every month and if the tenant certificate is going to expire in the next 60 days, it will automatically renew the certificate and triggers the notifications with the subject ‘Tenant Certificate has been renewed’.

If the expiration date is between 60-90 days from the job’s run date, then it will trigger the notification with the following subject: ‘Tenant Certificate is going to expire soon’. The reason for the second notification is to inform the customer that the certificate will be renewed in the next run.

Kindly note that you will not receive any mails to IT contacts from SAP operations team for the expiry.

I hope this blog provides all the information required wrt the Tenant certificate renewal process and actions that need to be taken for uninterrupted message processing

 

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo vishnupriya R
      vishnupriya R

      Thank you Arun!

      Useful blog to integrate C4C with CPI.

      Author's profile photo Ankitkumar Kaneri
      Ankitkumar Kaneri

      Thank you Arun for posting this blog, which will really help customers and partners to get their answers on the Certificate renewal concerns.

      Author's profile photo Samir Vora
      Samir Vora

      Hello Arun Senthil Kumar

      I cannot see "Business Task Management for User and Access Management" in my system - despite the scope question set to true.  Is this option no longer available or it sits somewhere else?  Thanks,

      Author's profile photo Stefan Barsuhn
      Stefan Barsuhn

      Samir Vora You need to scope Built -in Services and Support > System Management > User and Access Management, Question 'You can use business task management for user and access management' as well.

      Kind regards

      Author's profile photo Marisa König
      Marisa König

      Hi Arun, first of all - great blog post!

      I just have a short note regarding the notification, that the certificate will expire soon:

      If the expiration date is between 60-90 days from the job’s run date, then it will trigger the notification with the following subject: ‘Tenant Certificate is going to expire soon’. The reason for the second notification is to inform the customer that the certificate will be renewed in the next run.

      We did not get this notification as on August 1, the expiration date was 91 days away and on September 1 it was exactly 60 days and the certificate was automatically renewed (expiration date 31.10./ 1.11.). So unfortunately it is not always the case that there is a previous information about the certificate renewal.

      Regards,