SAP Knowledge Base Article - Public

3119755 - Domain certificate renewal for SAP Cloud for Customer URLs (*.crm.ondemand.com)

Symptom

Background 

The existing server certificate for domain “*.crm.ondemand.com” is being renewed at Origin as it will get expire on 29th January 2026. 

Timelines 

Change will be executed from January 17th 18:00 hrs UTC to January 18th 2026 11:00 hrs UTC for Test Systems. 

Change will be executed from January 24th 19:00 hrs UTC to January 25th 2026 06:00 hrs UTC for Production Systems. 

Impact 

If you have third-party integrations like web services/APIs in your SAP Cloud for Customer (C4C) tenant, you may be required to update the domain certificate. These updates should be conducted by your internal IT resources, with the new certificate information that could be found below. 

Impact on your tenant depends on the CDN configuration. For more details refer to the FAQs section. 

Download New Certificate (*.crm.ondemand.com) from the Attachment section. 

Environment

SAP Cloud for Customer

Resolution

Action Required 

If you have third party integrations like web services/APIs and CPI in your test/production environment, you may be required to add the new certificate chain in the required trust stores. 

NOTE: 

  • Issuer certificates (Root and Intermediate) of “*.crm.ondemand.com” remains unchanged.  

  • This change does not affect customers using AKAMAI (Check the KBA under references to identify if your tenant is AKAMAI ION/IPA enabled or not)  

FAQ's 

What changes or adoption are required from the customer side? 

If you have third-party integrations like web services/APIs and CPI in your test/production environment, you may be required to add the new certificate chain in the required trust stores. 

What are these certificates used for? 

These certificates are used for the SSL/TLS handshake that any system using the 'secure' protocol does before allowing connection to/from the system. In our case, SAP Cloud for Customer uses the 'secure' HTTPS protocol and hence the SSL handshake is must for any system to connect to these URLs. 

Are the new certificates known to modern web browsers? 

DigiCert Root Certificates are automatically recognized by all common web browsers, mobile devices, and mail clients. Therefore, no change is required for browsers. The same is true if one relies on the standard sapjvm trust list. 

The CA root certificate is included in: 

  • SAP JVM patch level 8.1.035 or 7.1.054 

  • Cloud Foundry buildpack SAP-Java (sap_java_buildpack) version 1.6.15 

How do I download or install the certificate? 

You must have admin access to the server where you need to install the certificate. If you do not have access to your company's SSL server, notify your IT team and provide them the respective certificate download link from the above table. 

How do Import Single Certificate in SAP CPI Key Store? 

Follow the steps mentioned in the  link. 

How to check the certificate in my browser trust list? 

Google Chrome: 

data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACEAAAAhCAYAAABX5MJvAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGdata:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACEAAAAhCAYAAABX5MJvAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAZSURBVFhH7cEBAQAAAICQ/q/uCAIAAACgBhElAAGcWoyeAAAAAElFTkSuQmCC in chrome browser and search for security in the search box and click on it. 

 

  • Go to manage certificates tab and click on it to see the certificates window popup 

    •  

    • And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACEAAAAhCAYAAABX5MJvAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAZSURBVFhH7cEBAQAAAICQ/q/uCAIAAACgBhElAAGcWoyeAAAAAElFTkSuQmCCspan> 

    • Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert Global G3 TLS ECC SHA384 2020 CA1". 

     

    Microsoft Edge: 

    • Open Microsoft Edge. 

    • Open settings in Microsoft Edge and search for security in the search box and click on it. 

    • Click on Manage Certificates 

    • And check in “Trusted root certification Authorities” list and you should find “DigiCert Global Root G3". 

     

     

     

     

    • Similarly check in “Intermediate Certification Authorities” list and you should find “DigiCert Global G3 TLS ECC SHA384 2020 CA1" 

    Image3.png 

    • If the certificate is not present, please proceed with steps mentioned under: “How to import certificate into my browser?” 

    How to import the certificate into my browser? 

    • Open Google Chrome or Microsoft Edge. 

    • Open settings and search for security in the search box and click on it. 

    • Click on Manage Device Certificates / Manage Certificates 

    • Go to tab “Trusted root certification Authorities” list and Import attached Digi Certificates using "Import" button at bottom. 

    • Go to tab “Intermediate certification Authorities” list and Import attached Digi Certificates using "Import" button at bottom. 

    • Ensure that “DigiCert Root and Intermediate" is added in the list. 

    I notice a discrepancy in the validity start date and end date mentioned in this knowledge article table and my downloaded certificate. What does this indicate? 

    Sometimes, due to time zone difference, you may see a different date in the downloaded certificate. There is no impact on the certificate update activity due to this. You will be renewing the certificate well in advance, before the certificate expiry date. 

    Attachments:  

    See Also

    For customer using SAP NetWeaver Process Integration (SAP PI):

    In case you are still running the old version of Netwwaver which is below 7.5 (e.g. 7.4) which does not offer support for the new EC algorithm (old cipher suites will be discontinued), you must either upgrade your PI NW version to 7.5 or install a non-central Adapter Engine at the 7.50 release and latest SPS which comes with the support for EC ciphersuites.

    The procedure is described in the KBA: 3218132 - Workaround for new PI/PO Adapter features not available in older SP's or Releases

    The new origin certificate now has a ECDSA signature algorithm:

    Issuer: DigiCert Global Root G3
    Signature algorithm:  SHA384withECDSA

    Keywords

    domain certificate renewal 2021 , KBA , LOD-CRM-SEC , Security Topics , LOD-CRM-INT-S4H , Integration of C4C with S/4 HANA , How To

    Product

    SAP Cloud for Customer core applications all versions

    Attachments

    Pasted image.png
    Pasted image.png
    Pasted image.png
    Pasted image.png
    Pasted image.png
    Pasted image.png
    star_crm_ondemand_com_2026.zip