Symptom
SAP SuccessFactors Recruiting Marketing SSL Certificate new installation or renewal Process
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors Recruiting Marketing
Cause
SSL installation is an important part of the RMK implementation process. Without it the site will not be accessible online.
SSLs are valid for a maximum of 397 days so require renewing in a timely manner to prevent browser errors when accessing the site.
Resolution
[NEW] Self-Service Tool for SSL Certificate installations and renewals (Since November 19th 2021)
Since the deployment of 2H 2021 Release, customers can install and renew their SSL certificates via Career Site Builder (CSB) using the self-service function. Product Support and Operations are no longer involved in the process. The new function named SSL Certificates is available under the Tools tab in CSB, and the same can be permissioned if the customer is using RBP inside CSB. Note that the SSL Certificates tab is only available in RMK Production environments as preview sites are fully managed by SAP and do not require SSLs to be installed.
For more information about the SSL self service tool refer to:
- How to use the self-service tool to renew your SSL certificate Choosing Your SSL Certificate Renewal Process
- Recruiting Self-Service Support for Career Site SSL Certificates – 2H 2021 Release – Innovation Alert post on our Customer Community.
ATTENTION: NEVER UPLOAD YOUR PRIVATE KEY TO ANY TICKETING TOOL OR WEBSITE. THIS COULD COMPROMISE YOUR PRIVATE KEY AND MAKE YOUR WEBSITE UNSECURE.
1. Prerequisites
- Manage Career Site Builder access from Admin Center for the users responsible for certificate renewals.
- If RBP is enabled in CSB > Tools, the user should have the permission to access SSL Certificates tab.
Important note : Customers with custom sites (CSB disabled in CMD) should still self-serve with their SSL renewals. The SSL Certificates feature is one of the options they have access to under the Career Site Admin Settings. They need to permission CSB as normal (Manage Recruiting > Manage Career Site Builder), and these users will see the Tools section and the SSL Certificates.
This is documented in the Guide under Career Site Admin Settings in Career Site Builder.
Note: CSB will need to be enabled in Provisioning before permissions can be assigned. This can be done by an implementation partner or by Support. See KBA 2794889 - Change Requests for Recruiting Marketing Sites Delivered by Product Support - Recruiting Marketing.
2. Limitations of the self service tool
- Multiple certificates
You can have up to 2 certificates installed and in use per domain.
RMK supports only two URLs configured in CSB > Settings > Site Configuration > Site Information tab. They are: - Site URL
- Use Redirect
You may receive the error: "You can only have two certificates installed for a domain. To install a new one, uninstall one of the two that's already installed." This can occur if you are attempting to add a 3rd cert but also if you still have an old cert still installed though not in use. Ensure that you check if the cert being replaced has been uninstalled and is not set to "Installed" and "not in use".
If this case, please click uninstall on this line before attempting to install the new SSL. - Multiple intermediate certificates
The SSL Certificates tool in CSB doesn't allow you to upload more than one intermediate certificate. If you have more than one intermediate certificate file to upload, you will need to combine them in one single file to be uploaded (see 3111993 - How to Upload Two Intermediate Certificates in CSB - Recruiting Marketing). - CSR generation limitations
The first step in the renewal process is to generate a CSR on which the new SSL will be based.
The buit in CSR generator has limitations. These are documented in KBA 3197486 Limitations of the CSR generation tool in SSL Certificates tool - Recruiting Marketing
If the tool does not cater for your needs please procure the CSR from a third party and use Option 2 to upload the SSL.
3. New implementations (Instructions for Implementation Partners)
The below steps are applicable for new customers and implementations and is a one time activity only:
- When either the CSR is requested (option1) or an SSL is installed (option2) under the SSL Certificates tab in CSB for an initial installation, in the background a request gets triggered to add a DNS entry for your RMK career site on our side. This domain is the SAP domain (jobs2web URL) and not the customer's domain. This DNS entry will be created within one business day. The URL will have the format <SiteId>.jobs2web.com (e.g., 111111.jobs2web.com).
- Implementation partners will have one final mandatory step to get their customer to add a CNAME entry so their domain points to <SiteId>.jobs2web.com to make the career site accessible over the Internet.
SiteId refers to Site ID number available in Career Site Builder > Settings > Site Configuration > Site Information tab as follows:
4. FAQs about Intermediate Certificate and File Formats
-
What format do I need to use when I upload my certificate to RMK?
We request the certificates in PEM format, starting with: “-----BEGIN CERTIFICATE-----”.
-
What kind of file extension is supported by RMK?
.pem .cer and .crt for upload.
- I have my certificate in p7b format. How do I convert to PEM format?
You can use openssl tool to convert the file (reach out to your IT department or a consultant to help you to convert a file).
- Example of command: openssl pkcs7 -inform der -in mycertificate.p7b -out mycertificate.crt
- where mycertificate.p7b is the certificate in p7b format and mycertificate.crt is the output file in PEM format.
- Where to obtain the intermediate certificate ?
- Download from the certificate provider (Certificate Authority) site
- If you only have the certificate, you can use a site such as https://whatsmychaincert.com to generate the correct chain.
- From the SSL certificate you can extract the files. See KBA 3299713 - How to extract the Intermediate Certificate (.cer) from the SSL certificate
- I have my certificate in pfx format. How to convert to PEM format? You can use the openssl tool to convert the file (reach out to your IT department or a consultant to help you to convert a file).
- Example of commands to accomplish this:
- Certificate: openssl pkcs12 -in filename.pfx -password pass:enterpassword -clcerts -nokeys | openssl x509 -out sslcertificate.crt
- Private Key: openssl pkcs12 -in filename.pfx -password pass:enterpassword -nocerts -nodes | openssl pkcs8 -nocrypt -out privatekey.pem
See Also
2563741 - Unable to Access the Production RMK Career Site - Recruiting
3046081 - SSL Certificate Renewal Reminders for Career Sites - Recruiting Marketing
2565122 - Frequent Questions on SSL Certificates for RMK Production Career Sites - Recruiting Marketing
3109381 - Overview About SSL Certificates tab in CSB - Recruiting Marketing
3197486 - Limitations of the CSR generation tool in SSL Certificates tool - Recruiting Marketing
Keywords
RMK, Renewing Certificate, Expired Certificate, CSR, SSL, Self Service Tool, CSB, RMK-25127, Intermedaite Certificate , KBA , LOD-SF-RMK-CER , Certificate Renewal, IP Address, Domain , LOD-SF-RMK-CSB , Career Site Builder , How To