/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
- You have received an email notification from SAP regarding " DigiCert G2 root and intermediate certificate change", for SAP SuccessFactors
- This KBA will serve as an FAQ for this topic.
Environment
SAP SuccessFactors HCM Suite
Resolution
1. Who is the target for this email?
A: If you have systems in which you manage the trusted certificates yourself, check if the Digicert G1 certificate exists in it. If it exists and the usage is related to SAP SuccessFactors, please go through the details below.
2. Why is this change happening?
A: Based on the recent announcement from our certificate authority (DigiCert - https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023 ), the issuer of our SSL certificates is to be updated to the new ones starting April 2024. The new certificate will contain new root and intermediate certificates.
3. What is the date of this change?
A: This change will be effective starting April 1st 2024.
4. What's the impact if we don't take actions?
A: Change of the root and intermediate certificates can lead to SSL certificate-based errors If the required actions mentioned below are not taken before the 31st of March 2024.
5. What certificate is going to be changed?
A: Switching to the G2 root and ICA certificates does not affect your existing certificates.
However, newly issued certificates including renewals of existing certificates from April 1st, 2024, will chain to the G2 root hierarchy.
6. When do we need to take actions?
A: Any time before March 31st 2024.
7. What actions do we to need to take?
A: If you have systems in which you manage the trusted certificates yourself, check if the Digicert G1 certificate exists in it. If it exists and the usage is related to SAP SuccessFactors, please add the new G2 certificate to it. Do not yet remove the G1 certificate as both are needed for the transition period.
- To download the G2 certificate:
Go to https://www.digicert.com/kb/digicert-root-certificates.htm - In the list of certificates, search for DigiCert Global Root G2.
- Download the appropriate format for your trust store.
- Verify the fingerprint of the downloaded certificate matches what is given on the website (for openssl, use this command: openssl x509 -noout -text -in ./DigiCertGlobalRootG2.crt.pem -fingerprint).
- Follow the instructions of your trust store to add the CA certificate to it.
8. Can old certificate “DigiCert Global Root CA” and new certificate “DigiCert Global Root G2” co-exists in my systems?
A: Yes, these certificates can co-exists in your systems. Please don't delete the old certificate before the expiry date.
9. Does this impact SuccessFactors Single Sign ON(SSO) certificates?
A: No, this change is not related to and does not impact SuccessFactors SSO.
Call for Action:
If you have systems in which you manage the trusted certificates yourself, please check if the DigiCert G1 certificate exists in it. If it does and the usage is related to SAP SuccessFactors, you must add the new G2 certificate to it in order to ensure a seamless transition. Do not yet remove the G1 certificate as both are needed for the transition period.
We advise you to contact your IT department to perform this check & required action, if needed.
See Also
Keywords
SuccessFactors,Digicert,G1,G2 , KBA , LOD-SF-PLT , Platform Foundational Capabilities , Product Enhancement
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)