2231401 - Updated SSL Certificate Installation and Renewal process - Recruiting Marketing

• Recruiting Marketing Certificate new installation or renewal Process
• Why should I renew my RMK career site certificate?
• What process I should follow to start the renewal process?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors Recruiting Marketing (RMK)

1. Access the career site.
2. The browser will indicate that the connection is not secure.

If the SSL certificate expires, users/candidates accessing the career page will receive a warning message informing them that the connection is not secure. The following image shows an example:

Please note that this does not mean the career site is down and is not a showstopper. Site visitors can choose between "Click here to close this webpage" or "Continue to this website (not recommended)". However, it's recommended to have the SSL Certificate renewed so that site visitors are not impacted.

[NEW] Self-Service Tool for SSL Certificate installations and renewals (Since November 19th 2021)

Since the deployment of 2H 2021 Release, customers can install and renew their SSL certificates via Career Site Builder (CSB) using the self-service function. Product Support is no longer involved in the process. The new function named SSL Certificates is available under the Tools tab in CSB, and the same can be permissioned if the customer is using RBP inside CSB. Note that the SSL Certificates tab is only available in RMK Production environments.

1. Prerequisites

• Manage Career Site Builder from Admin Center for the users responsible for certificate renewals.
• If RBP is enabled in CSB > Tools, the user should have the permission to access SSL Certificates tab.
  
  

Important note : Customers with custom sites (CSB disabled in CMD) should still self-serve with their SSL renewals. The SSL Certificates feature is one of the options they have access to under the Career Site Admin Settings. They need to permission CSB as normal (Manage Recruiting > Manage Career Site Builder), and these users will see the Tools section and the SSL Certificates.
This is documented in the Guide under Career Site Admin Settings in Career Site Builder.
Note: CSB will need to be enabled in Provisioning before permissions can be assigned. This can be done by an implementation partner or by Support. See KBA 2794889 - Change Requests for Recruiting Marketing Sites Delivered by Product Support - Recruiting Marketing.

For more information about the new feature feature refer to:

• How to use the self-service tool to renew your SSL certificate refer to Choosing Your SSL Certificate Renewal Process section of the Recruiting guide;
• Recruiting Self-Service Support for Career Site SSL Certificates – 2H 2021 Release – Innovation Alert post on our Customer Community.

2. Limitations

• You can have multiple certificates installed and in use for different domains. However, RMK supports only two URLs configured in CSB > Settings > Site Configuration > Site Information tab. They are:
• Site URL
• Use Redirect
• The SSL Certificates tool in CSB doesn't allow you to upload more than one intermediate certificate. If you have more than one intermediate certificate file to upload, you will need to combine them in one single file to be uploaded (see 3111993 - How to Upload Two Intermediate Certificates in CSB - Recruiting Marketing). If you only upload one of the intermediate certificates, this could result in the installation being stuck in Installation Requested status.
• You may receive the error: You can only have two certificates installed for a domain. To install a new one, uninstall one of the two that's already installed this can occur if you are adding a 3rd cert. Ensure that you check if the cert being replaced has been uninstalled and not set to "not in use". 

3. New implementations (Instructions for Implementation Partners)

The below steps are applicable for new customers and implementations and is a one time activity only:

• When either the CSR is requested (option1) or an SSL is installed (option2) under the SSL Certificates tab in CSB for an initial installation, in the background a request gets triggered to add a DNS entry for your RMK career site. This domain is the SAP domain (jobs2web URL) and not the customer's domain. This DNS entry will be created within one business day. The URL will have the format <SiteId>.jobs2web.com (e.g., 111111.jobs2web.com).
• Implementation partners will have one final mandatory step to get their customer to add a CNAME entry so their domain points to <SiteId>.jobs2web.com to make the career site accessible over the Internet.

SiteId refers to Site ID number available in Career Site Builder > Settings > Site Configuration > Site Information tab as follows:

4. FAQs about Intermediate Certificate and File Formats

• What format do I need to use when I upload my certificate to RMK?

We request the certificates in PEM format, starting with: “-----BEGIN CERTIFICATE-----”.

• What kind of file extension is supported by RMK?

.pem .cer and .crt for upload.

• I have my certificate in p7b format. How do I convert to PEM format?

You can use openssl tool to convert the file (reach out to your IT department or a consultant to help you to convert a file).

• Example of command: openssl pkcs7 -inform der -in mycertificate.p7b -out mycertificate.crt
• where mycertificate.p7b is the certificate in p7b format and mycertificate.crt is the output file in PEM format.
  
  
• How can I download the intermediate certificate of my Certificate Authority (CA)? 

An intermediate certificate can be downloaded from the following places:

• From the certificate provider site
• From the public Internet:
• In case you only have the certificate, you can use any public site to download (e.g. https://whatsmychaincert.com). 
  ATTENTION: NEVER UPLOAD YOUR PRIVATE KEY TO ANY TICKETING TOOL OR WEBSITE. THIS COULD COMPROMISE YOUR PRIVATE KEY AND MAKE YOUR WEBSITE UNSECURE.
• From the SSL certificate:
• Please see KBA 3299713 - How to extract the Intermediate Certificate (.cer) from the SSL certificate

• I have my certificate in pfx format. How do I convert to PEM format? You can use the openssl tool to convert the file (reach out to your IT department or a consultant to help you to convert a file).
  
  
• Example of commands to accomplish that:
• Certificate: openssl pkcs12 -in filename.pfx -password pass:enterpassword -clcerts -nokeys | openssl x509 -out sslcertificate.crt
• Private Key: openssl pkcs12 -in filename.pfx -password pass:enterpassword -nocerts -nodes | openssl pkcs8 -nocrypt -out privatekey.pem

• 2563741 - Unable to Access the Production RMK Career Site - Recruiting
• 3046081 - SSL Certificate Renewal Reminders for Career Sites - Recruiting Marketing
• 2565122 - Frequent Questions on SSL Certificates for RMK Production Career Sites - Recruiting Marketing
• 3109381 - Overview About SSL Certificates tab in CSB - Recruiting Marketing

RMK, Renewing Certificate, Expired Certificate, CSR, SSL, Self Service Tool, CSB, RMK-25127, Intermedaite Certificate , KBA , LOD-SF-RMK-CER , Certificate Renewal, IP Address, Domain , LOD-SF-RMK-CSB , Career Site Builder , How To