Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
1,561
Please note that the Certificate Authority for *.ap1.hana.ondemand.com and all subdomains like int,svc,cert,static, connectivitynotification, connectivitytunnel will be changed. Other domains will follow during the next 2 years.

The Root CA will be updated on March 31, 2017.

The issuer (root CA/first intermediate CA) of SAP CP certificates for all external servers will be changed from Baltimore/Verizon to VeriSign/Symantec. Existing valid certificates will not be effected.

Due to this change, as of now till March 31 you have to update your dev tools to some of the latest versions, which are compatible with the new Certificate Authority server certificates.

You can find the new Root CA public key links below:

VerySign rootCA:

https://knowledge.symantec.com/support/mpki-support/index?page=content&actp=CROSSLINK&id=SO5624

Symantec intermediate CA:

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id...

 

If you use certificates for API calls (e.g. REST, OData, SOAP), please ensure that the new root CA certificate is included in all participating trust stores:

  • If you expose an API and have an own customer communication channel, inform all consumers (especially customers using onPremise clients) that they need to add the certificates to their trust store
    (HCP Core services operated by HCP ops will be informed centrally)

  • If you consume an API, please ensure that you add the certificates in your trust store

  • If you use a server certificate validation during client certificate authentication against HCP applications, please switch to new VeriSign CA


All current browsers have the Symantec CA included in their trust lists, so for browser scenarios there’s nothing to do. The same is true if you rely on the standard sapjvm trust list.

Impact:

If VeriSign (and Symantec if intermediate is required) is not added to the related trust store, remote API calls will fail with authentication error. This can break running productive scenarios.

 

Thank you for showing understanding and co-operation!