SAP Passport CA G2

Renewal of SAP Passport CA G2 certificate common questions:

1. What is expiring on 14th May 2024 and what will be impacted?

The Intermediate Certificate of the M-user, which is SAP Passport CA G2 validity, expires on 14th May 2024.

There is no change on the root and leaf certificates, if you’ve done certificate pinning in any of your integrations/environments using the subject then there is no change or impact as it will work as usual, but the intermediate certificate of that chain is being renewed. Hence, it is mandatory to add the new certificate (SAP Passport CA G2) to your trust list so that your integrations will not break.

Download the new certificate from the KBA #3402581

1. M-user certificate has a validity of more than the expiry date of the Intermediate Certificate (SAP Passport CA G2) will this have any impact on our integration?

There will be no impact on your existing M-user certificate, you can still use it till the expiry, but you need to add the new certificate (SAP Passport CA G2) to your server integration trust list, whereas from the C4C side, the trust store is already added with the new certificate.

1. We have no direct connection- All our connections are routed through CPI. Do we need to update to update the certificates in Production in this case?

If your productive tenant is routed through Load Balancer and not Akamai, you need to consider updating the Intermediate certificate into CPI Key Store.

The SAP Passport CA G2 is already renewed, so you can create a new C4C keypair from the Communication Arrangement and update your CPI.

1. We have two attached emails for certificate updates, and we are confused about the updates required and their sequencing. In the past also faced several issues over certificates which resulted in business disruptions. We would like to get the following information:

•  Which certificates are to be updated? Do we have to download from both notes?

Passport CA G2 Validity Extension: this renewal is planned in April end. Customer communications have been broadcasted by our Operation Team. Customer needs to update their integration systems and business communications arrangements.

You can refer to the following KBA article: Invalid Certificate Chain Error When Uploading C4C Certificate into CPI Key Store (https://itsm.services.sap/kb_view.do?sysparm_article=KB0759480)

•  Do we have to update both C4C and CPI?

Yes, you need to update it before May 14th

1. We created a service key inside the BTP Integration Suite so that the C4C can log in with the M-Certificate. There is no option to add some certificates to a trust list.

 That said: We can leave everything as it is, and our communication will not break after the 14th of May. Even if the chain of the M-Cert is not valid anymore, cause the BTP does not care?

 You do not need to change the current Service Key since the child M-user certificate remains the same.

The only action required refers to removing from your CPI Trust list the SAP Passport CA G2 (with the validity to May 14th ) and replaced by the new SAP Passport CA G2 which contains the extended validity date.

1. Do I need to be concerned about the M-User (Mandate)/Tenant certificate due to this renewal as well?

The M-user is signed by SAP Passport CA G2, however it remains the same. The M-User certificate is updated via SAP Background job which runs 60 days before its expiration.

It will automatically renew the certificate and triggers the notifications with the subject 'Tenant Certificate has been renewed'.

Please refer to the blog: https://community.sap.com/t5/crm-and-cx-blogs-by-sap/all-about-tenant-certificate-renewal-in-sap-clo...

Domain Certificate *crm.ondemand.com

Renewal of C4C Domain or Tenant certificate common questions:

1. What is expiring on 30th April 2024 and what will be impacted due to this?

Domain Certificate (*.crm.ondemand.com) validity is expiring on 30th April 2024. If you have used this certificate anywhere in your integrations previously, then you may need to update the attached one from the KBA #3119755. Also, since the chain of the certificate is also being changed, so you need to update entire chains in your trust store.

Below are the details of the attachment from KBA #3119755.

• Root Certificate: “TrustedRoot.crt” à Subject/CN = “DigiCert Global Root G2”
• Intermediate Certificate: “DigiCertCA.crt” à Subject/CN = “DigiCert Global G2 TLS RSA SHA256 2020 CA1”
• Leaf/Domain Certificate: “star_crm_ondemand_com.crt” à Subject/CN = “*.crm.ondemand.com”

Note: This change is not applicable if your tenant is Akamai enabled, (To check if your tenant is Akamai ION/IPA enabled or not, Please refer the KBA #3119733 under the Resolution section).

1. Domain certificates as per communication will expire on April 30th and change will be executed between April 26th and April 28th for prod. So when do we have to update the certificates from our side?

It will be renewed on the announced date as per the communication email and this will done by SAP, If you are using this certificate in your integrations, then you may need to download and update it accordingly.

• Does that mean we have to upload before this date?

Yes, you can upload and add the new certificate in your trust stores before, but that would be effective from the date we renew it at the backend, so it is good to do it before but still, you can do it after the above dates. In-case you are Akamai-enabled customer, then you don't need to do anything.

You can download the new certificate attached in the following KBA which I created to elucidate the procedure as well as the date details: https://launchpad.support.sap.com/#/notes/3119755

Please note: this change does not affect customers using AKAMAI

1. Shall we update before 26th April, between 26th and 28th, or between 28th to 30th April?

This certificate *.crm.ondemand.com Domain Certificate Renewal at Origin end' says Change will be executed from April 12th 18:00 hrs UTC to April 13th, 2024, 11:00 hrs. UTC for Test Systems.