2565122 - FAQ on SSL Certificates for RMK Career Sites

Most common questions on SSL certificates for RMK sites.

SAP SuccessFactors Recruiting Marketing

IMPORTANT NOTE: Since November 19th 2021 customers have to use the SSL Certificate tab in Career Site Builder to renew their SSL Certificates. As a result, Product Support will no longer be part of the certificate installation and renewal process.

1. Is the portal where the certificate will be used in IIS (Internet Information Services)? No. The certificate will be used in Apache ( Recommended - Apache - ModSSL )
2. Will the certificate be installed in a single server or multiple servers? The certificate will be installed on haproxy, which has the list of all Apache servers mapped to it.
3. What certificate type should be provided A certificate bundle (i.e root and intermediate certs as well).
4. What certificate formats are accepted : .pem .cer and .crt
   
5. How to create an SSL certificate for the application server? For a production server, obtain an SSL certificate signed by a known CA (Certificate Authority), such as Digicert, GlobalSign or GeoTrust. Self issued certificates are not supported.
6. How is the DNS record on the SAP side determined? The DNS i.e. <Site ID>.jobs2web.com configured by RMK Operations team at the time of DNS record addition and is kept standard to identify customer names quickly.
7. Will a new cert be required if changes are made to the RMK config (domain change, DCchange)? Yes, a new SSL certificate will need to be issued and installed.
8. Will a new cert be required if changes are made to the connected Bizx instance? No, the SSL certificate is only linked to the RMK instance.
9. Which port is being used for site access? The customer's RMK Career site will use 443 (HTTPS) port to come to our environment.
10. On which application is the certificate hosted? During SSL setup for the customer, we create dedicate VIP over the LB(LoadBalancer) for the customer's RMK URL and we will install the certificate on it.
11. Is OCSP Stapling supported? OCSP Stapling cannot be supported within our Cloud Landscapes at the moment. Our advice is to acquire a SSL Certificate with included SCT information.
12. Should anything be done about the *.stage.jobs2web.com Certificate Renewal? No, no action is required for stage/test environments. SSL certificates for all stage servers are managed by SAP.
13. How to identify the SSL Certificate file? You can open the file and check the "Issued to" field. If this is issued to your common name, e.g. jobs.<company>.com, then this is the file that you should upload to the "SSL Certificate" field in Career Site Builder. 
14. How to identify the Intermediate Certificate file? You can open the file and check if you see that "Issued to" and "Issued by" have the same value. If, yes, this is the Intermediate Certificate.
15. Can SSLs with 4096 bit keys be uploaded and installed via the SSL tool? Yes. Such SSLs can be procured, uploaded and installed. What is more, the CSB CSR generation tool supports 4096 bit keys with release 1H2025.
16. Can customers use an A record and IP address instead of a CNAME record in their DNS configuration ? Yes, but we strongly do not recommend doing this. IP address are not static, and your career site will become inaccessible if the IP changes.
17. Can Customers forego installing or stop renewing their SSL certificate for their productive site? The only way customers can do this is if they use the new feature with 1H2025 release : Standard site URLs for Career Sites as SSLs for these are handled by SAP.

2231401 - Updated SSL Certificate Renewal process - Recruiting Marketing

2563741 - Unable to Access the Production RMK Career Site - Recruiting

SSL certificate, IIS, single server, FAQ, OCSP, CSB, RMK, IP address , KBA , LOD-SF-RMK-CER , Certificate Renewal, IP Address, Domain , How To