Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Renewal of CN=*.cockpit.btp.cloud.sap

hugomiguelmartins
Explorer

on ‎2025 Apr 07 3:25 PM

0 Likes
901

Hello! I would like to clarify a certificate change related to SAP BTP (CN=*.cockpit.btp.cloud.sap vs CN=emea.cockpit.btp.cloud.sap) and check if it affects trust settings in our subaccount. Is it possible to get guidance without opening a support incident?

We are currently using the certificate with the following subject:

CN=*.cockpit.btp.cloud.sap, O=SAP SE, L=Walldorf, SP=Baden-Württemberg.

We have identified a new certificate with the subject:

CN=emea.cockpit.btp.cloud.sap

Could you please confirm the following:

  1. Can the new certificate (CN=emea.cockpit.btp.cloud.sap) be used as a replacement for the existing wildcard certificate (*.cockpit.btp.cloud.sap)?
  2. Will this certificate change affect current SSL communication or truststore configurations in SAP BTP or SAP Integration Suite?
  3. Is there any action required on our side to ensure the trust relationship remains valid (e.g. importing new root/intermediate certificates)?
  4. Is this change part of a planned update from SAP (e.g. change in Certificate Authority or regional separation)?
  5. Currently this certificate does not exist in STUST QAS - only in DEV and PRD. I wonder if it is also necessary to include it in QAS in the SSL Client (Anonymous)?

Thank you in advance for your support.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

abiskop
Product and Topic Expert
Product and Topic Expert
‎2025 Apr 08 8:29 AM

Hi @hugomiguelmartins,

thanks for reaching out. Let me try to shed some light on this.

Both https://cockpit.btp.cloud.sap/ and https://emea.cockpit.btp.cloud.sap/ currently present the same certificate (which is valid for both of those domains, see CN and Subject Alternative names of the certificate):

...

Subject: C=DE, ST=Baden-Württemberg, L=Walldorf, O=SAP SE, CN=emea.cockpit.btp.cloud.sap

...

  X509v3 Subject Alternative Name: 
    DNS:emea.cockpit.btp.cloud.sap, DNS:cockpit.btp.cloud.sap

...

And yes, we recently changed this certificate from a wildcard certificate (for *.cockpit.btp.cloud.sap) to one that explicitly specifies the two mentioned domains. That being said: this is only the SSL certificate used by BTP Cockpit. It does not affect any other applications.

Will this certificate change affect current SSL communication or truststore configurations in SAP BTP or SAP Integration Suite?

As mentioned, this is only the SSL certificate for BTP Cockpit. No impact on SAP Integration Suite.

Is there any action required on our side to ensure the trust relationship remains valid (e.g. importing new root/intermediate certificates)?
Is this change part of a planned update from SAP (e.g. change in Certificate Authority or regional separation)?

The recent certificate change for BTP Cockpit is not directly related to any such activities. However, coincidentally, a change in the root authority will take place mid of this year. This has been announced here: https://me.sap.com/notes/3566727 
The BTP Cockpit certificate(s) will get rotated eventually, and get replaced with certificates issued by the DigiCert G5 root CA mentioned in the SAP Note.

Currently this certificate does not exist in STUST QAS - only in DEV and PRD. I wonder if it is also necessary to include it in QAS in the SSL Client (Anonymous)?

I am not familiar with these terms and cannot give an answer here unfortunately.

Hope this helps!

Show replies
Show replies
hugomiguelmartins
Explorer
‎2025 Apr 08 10:52 AM
0 Likes
@abiskop, many thanks
Ask a Question