Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Strengthening Security on SAP BTP Neo Environment with DigiCert Global Root G3

LyuboslavL
Associate
Associate
3 weeks ago
427

LyuboslavL_0-1760688028101.png

At SAP, keeping your data and applications secure is always a top priority.
To further strengthen the security of the SAP BTP Neo environment, we are migrating to the “DigiCert Global Root G3” Public Key Infrastructure (PKI). This update ensures long-term trust, improved encryption, and compliance with the latest international security standards.

Do You Need to Do Anything

For most customers, no action is required.
Modern web browsers (like Google Chrome and Mozilla Firefox) and up-to-date operating systems already trust the new DigiCert Global Root G3 certificate automatically.

However, if your organization manages certificates manually or maintains its own trust store, your technical team should add the new G3 certificate before the March 2026 deadline.
This ensures continued, secure access to SAP BTP services.

Important: Do not remove the existing G2 certificate — both should remain active during the transition.

Why This Matters

This change is part of SAP’s ongoing commitment to:

  • Keep your data and applications secure
  • Align with the latest global and national security standards
  • Ensure continued compatibility with modern browsers and systems

By making this upgrade, SAP is helping customers stay protected and ready for the future.

Timeline

The full migration to DigiCert Global Root G3 will take effect in March 2026.

Until then, both the G2 and G3 certificates will remain active to ensure a smooth transition.

How to Add the DigiCert Global Root G3 Certificate

If you manage your own trust stores, please follow these steps:

  1. Visit the DigiCert root certificate page: https://www.digicert.com/kb/digicert-root-certificates.htm
  2. Locate “DigiCert Global Root G3.”
  3. Download the appropriate certificate format for your environment.
  4. Verify the certificate fingerprint using your preferred tool (for example, with OpenSSL:
    openssl x509 -noout -text -in ./DigiCertGlobalRootG3.crt.pem -fingerprint)
  5. Follow your trust store’s instructions to add the certificate.

For guidance on managing trusted certificates for SAP BTP, see the BTP Trust Store on GitHub. To streamline future updates, we recommend applying the BTP Trust Store regularly or automating this process.

Affected Domains

This update applies to the following platform domains in the SAP BTP Neo environment:

*.<Region.Domain> 

*.dispatcher.<Region.Domain> 

*.cert.<Region.Domain> 

*.static.<Region.Domain> 

*.vms.<Region.Domain> 

*.netweaver.ondemand.com 

connectivitynotification.<Region.Domain> 

connectivitytunnel.<Region.Domain>

For a full overview of regions and domain hosts, see the SAP Help Portal.

Custom Domains

SAP-owned custom domains are not affected by this change until March 2026.
After this date, all new automated certificate renewals will use the DigiCert Global Root G3 certificate. New SAP-owned custom domains created after March 2026 will also use G3 by default.


Staying secure is a shared effort — and we’re making it easier for you.
With the DigiCert Global Root G3 upgrade, SAP BTP continues to offer a trusted, reliable, and compliant cloud environment for your business.