Changing the SAP BTP Cloud Foundry environment Root Certificate Authority
On May 4th 2023 it was announced that the root certificate authority (CA) used to issue the certificates on SAP domains for the SAP BTP, Cloud Foundry environment needs to be changed. The old CA “DigiCert Global Root CA” (G1) will be replaced by the newer “DigiCert Global Root G2” (G2).
Clients of applications offered by SAP and of those operated by customers must add the new CA certificate to their trust store in order to ensure a seamless transition.
Please see the Background section below for more technical details!
Call to Action
Check Your Trust Stores
If you have systems in which you manage the trusted certificates yourself, check if the G1 certificate exists in it. If it exists and the usage is related to SAP BTP products, please add the new G2 certificate to it. Do not yet remove the G1 certificate as both are needed for the transition period.
To download the G2 certificate:
- Go to https://www.digicert.com/kb/digicert-root-certificates.htm.
- In the list of certificates, search for `DigiCert Global Root G2`.
- Download the appropriate format for your trust store.
- Verify the fingerprint of the downloaded certificate matches what is given on the website (for openssl, use this command:
openssl x509 -noout -text -in ./DigiCertGlobalRootG2.crt.pem -fingerprint).
- Follow the instructions of your trust store to add the CA certificate to it.
Confirm Your Clients Are Ready For G2
We deployed a certificate that has been issued by G2 to a subdomain that you can point your clients at to verify your clients can establish a secure connection to it: https://digicert-global-root-g2.cfapps.eu12.hana.ondemand.com.
Watch For Updates
Changes to SAP BTP are announced on help.sap.com (and various other channels). You can subscribe to updates via mail, and it is highly recommended to do so for the components and environments which are relevant to you with “Action: Required”. Those updates contain changes that might require actions on your end. You can find more information about how to use the “What’s new” page in this help article.
Additionally, we send out notifications using the Cloud Availability Center (CAC). Please ensure you are subscribed to the products you are using and monitor the notifications sent out. Detailed information on how to use CAC can be found in the CAC User Guide. If you wish to view the previous event, you can search for event id “EV21611911”.
For more information on how to subscribe to receive important platform updates see Platform Updates and Notifications.
What Is a Trust Store?
Since maintaining trust between clients and servers is a critical task, central lists have been established that provide their set of trusted root certificate authorities. One of those lists (also called trust stores) is the Mozilla Root Store. It provides the default CA certificates that are trusted by the Network Security Services (NSS) and other Mozilla products. NSS in turn is used by many other applications (including Chromium!).
Mozilla changed its Mozilla Root Store Policy that governs certificates added to the Mozilla root store. The main change is that certificates can no longer be valid for more than 15 years. Since the store currently contains certificates that violate the policy, Mozilla provided a transition schedule that details the handling of such certificates.
How Does This Affect the SAP BTP Cloud Foundry environment?
The default domains provided by the platform (for example:
example.cfapps.eu10.hana.ondemand.com) use certificates issued by DigiCert for SAP. DigiCert’s current CA certificate “DigiCert Global Root CA”, which is used to issue those certificates, is valid from 2006 to 2031. This violates the new Mozilla root store policy. According to the transition schedule, Mozilla will stop trusting G1 for websites on April 15th 2026. DigiCert also provides a detailed overview of its certificates and how they are affected by this policy change.
To mitigate this issue, DigiCert created a new CA certificate “DigiCert Global Root G2” that conforms to the new policy. On March 8th 2023, DigiCert started issuing certificates using the G2 CA. This is done to prevent issuing certificates that will still be valid when Mozilla stops trusting G1.
We are aware that in many cases customers manage the trust store of their system on their own, instead of relying on a public trust store. Those customers need to act as they must add the new G2 CA to their trust. Otherwise, their clients will no longer trust the certificate of the platform and fail to establish a secure connection to it. A full list of affected domains can be found in SAP Note 3327214.
Depending on the architecture of the client, the CA certificates might be obtained from different locations. Java, for example, uses the CA certificates bundled with the JRE. Please check with the vendor of your client software to confirm whether the G2 CA certificate is included.
Initial Roll-Out September 11th 2023
As with all changes that are potentially incompatible, we prepared communication three months prior to the change. Since the change was planned for September 11th, we’ve published release notes on May 4th. Along with it, we’ve released SAP Note 3327214 and sent out CAC Notifications to (potentially) affected customers.
On September 11th, the certificates of all regions were temporarily replaced by ones that have been issued by the G2 CA. After the roll-out we noticed increased error rates in our load balancer logs and were notified by stakeholders about connection issues.
The change was rolled back quickly, re-establishing the previous certificate.
From this we learned that our previous communication did not reach all stakeholders and are looking into ways to improve our communication strategy. The certificate change is inevitable and will need to happen due to the aforementioned deprecation of the G1 root certificate.
We will update the SAP Note and the community with any new information.
We will roll out the new certificates carefully and closely monitor the logs of our load balancers for any signs of issues. However, we rely on clients to trust the new certificate. We aim to have the certificate switched by the end of Q4 2023.