SAP BTP ABAP Environment – New Root Certificate Authority
Server certificates for the domains of the SAP BTP ABAP Environment are issued by DigiCert. In order to comply with changes to the Mozilla Root Store Policy, DigiCert started issuing certificates under a new “DigiCert Global Root G2” certificate authority (CA). Due to this change, new or updated server certificates of the SAP BTP ABAP Environment will be issued by this new CA, and no longer by the current “DigiCert Global Root” CA. In addition, new or updated server certificates of other SAP services, for example, SAP BTP, will also be issued by this new CA. For example, the certificates of SAP BTP Cloud Foundry environment are planned to be switched by the end of Q4 2023.
More details about the DigiCert Global Root G2 CA, the background, and test possibilities can be found in this blog post of related changes in the SAP BTP Cloud Foundry environment.
Call to Action
Action is required to ensure that applications/services trust the new DigiCert Global Root G2 CA.
If you manage trust stores of client applications/services, which connect to your SAP BTP ABAP Environment instance(s), by yourself, then add the DigiCert Global Root G2 CA to these trust stores to ensure that your applications/services still can connect to the SAP BTP ABAP Environment instance(s) when the new server certificates are used. This applies to all supported protocols.
Since different (external) client applications / services are using different technical implementations for such trust stores, we cannot provide detailed instructions how to configure these trust stores.
For outbound connections from your SAP BTP ABAP Environment instances, for example, towards other services in SAP BTP Cloud Foundry environment, please check the trust settings for the DigiCert Global Root G2 CA via the Maintain Certificate Trust List application. If the CA is not contained in the list, click on Check for Updates and add the certificate, or add it manually. You can also enable the Automatic Trust List Update to add new certificates from the SAP trust list automatically: