
SAP Passport CA G2
Renewal of SAP Passport CA G2 certificate common questions:
The Intermediate Certificate of the M-user, which is SAP Passport CA G2 validity, expires on 14th May 2024.
There is no change on the root and leaf certificates, if you’ve done certificate pinning in any of your integrations/environments using the subject then there is no change or impact as it will work as usual, but the intermediate certificate of that chain is being renewed. Hence, it is mandatory to add the new certificate (SAP Passport CA G2) to your trust list so that your integrations will not break.
Download the new certificate from the KBA #3402581
There will be no impact on your existing M-user certificate, you can still use it till the expiry, but you need to add the new certificate (SAP Passport CA G2) to your server integration trust list, whereas from the C4C side, the trust store is already added with the new certificate.
If your productive tenant is routed through Load Balancer and not Akamai, you need to consider updating the Intermediate certificate into CPI Key Store.
The SAP Passport CA G2 is already renewed, so you can create a new C4C keypair from the Communication Arrangement and update your CPI.
Passport CA G2 Validity Extension: this renewal is planned in April end. Customer communications have been broadcasted by our Operation Team. Customer needs to update their integration systems and business communications arrangements.
You can refer to the following KBA article: Invalid Certificate Chain Error When Uploading C4C Certificate into CPI Key Store (https://itsm.services.sap/kb_view.do?sysparm_article=KB0759480)
Yes, you need to update it before May 14th
That said: We can leave everything as it is, and our communication will not break after the 14th of May. Even if the chain of the M-Cert is not valid anymore, cause the BTP does not care?
You do not need to change the current Service Key since the child M-user certificate remains the same.
The only action required refers to removing from your CPI Trust list the SAP Passport CA G2 (with the validity to May 14th ) and replaced by the new SAP Passport CA G2 which contains the extended validity date.
The M-user is signed by SAP Passport CA G2, however it remains the same. The M-User certificate is updated via SAP Background job which runs 60 days before its expiration.
It will automatically renew the certificate and triggers the notifications with the subject 'Tenant Certificate has been renewed'.
Please refer to the blog: https://community.sap.com/t5/crm-and-cx-blogs-by-sap/all-about-tenant-certificate-renewal-in-sap-clo...
Domain Certificate *crm.ondemand.com
Renewal of C4C Domain or Tenant certificate common questions:
Domain Certificate (*.crm.ondemand.com) validity is expiring on 30th April 2024. If you have used this certificate anywhere in your integrations previously, then you may need to update the attached one from the KBA #3119755. Also, since the chain of the certificate is also being changed, so you need to update entire chains in your trust store.
Below are the details of the attachment from KBA #3119755.
Note: This change is not applicable if your tenant is Akamai enabled, (To check if your tenant is Akamai ION/IPA enabled or not, Please refer the KBA #3119733 under the Resolution section).
It will be renewed on the announced date as per the communication email and this will done by SAP, If you are using this certificate in your integrations, then you may need to download and update it accordingly.
Yes, you can upload and add the new certificate in your trust stores before, but that would be effective from the date we renew it at the backend, so it is good to do it before but still, you can do it after the above dates. In-case you are Akamai-enabled customer, then you don't need to do anything.
You can download the new certificate attached in the following KBA which I created to elucidate the procedure as well as the date details: https://launchpad.support.sap.com/#/notes/3119755
Please note: this change does not affect customers using AKAMAI
This certificate *.crm.ondemand.com Domain Certificate Renewal at Origin end' says Change will be executed from April 12th 18:00 hrs UTC to April 13th, 2024, 11:00 hrs. UTC for Test Systems.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
24 | |
20 | |
20 | |
19 | |
14 | |
12 | |
9 | |
8 | |
7 | |
7 |