3446646 - Renewal of SAP Passport CA certificate - SAP Business ByDesign

User wants to renew the SAP Passport CA Certificate or User received an email from SAP to renew the SAP Passport CA Certificate.

This KBA is to give additional insights about this renewal

SAP Business ByDesign

Help Center Documentation

Each SAP Business ByDesign tenant is provisioned with a tenant certificate issued by the SAP Passport CA. The validity period of the tenant certificate is 1 year. For the functioning of the communications relying on the tenant certificate, it's mandatory to upload the valid certificate after renewal every year to the relevant target systems.

You can view the tenant certificate from Application and User Management -> Common Tasks -> Edit Certificate Trust List -> View Tenant Certificate.

You can download the tenant certificate from Application and User Management -> Communication Certificates -> Download Tenant Certificate.

For more details, refer to the documentation Renewal of Tenant Certificate

Blog

To know the changes & impacts, actions and details in terms of Integration, refer to the blog Renewal of Tenant Certificate

This blog also has a FAQ which clarifies questions around this topic.

Overview

What is Single Sign-On with SAP Passports?

Refer to the detailed documentation 

KBA

3336913 - Tenant Certificate Details in SAP Business ByDesign

3366283 - System throws Error Message 'Certificate already exists'

Email Communication

If you receive an Email from SAP to renew the SAP CA Certificate, then follow the below instructions:

Immediate action Required:

In case you have configured direct trust to the current SAP Passport CA G2, the new SAP Passport CA G2 certificate with the extended validity date must be added in to your trust list to avoid any disruptions in the integrations.

It is already available for download from here. 

In case you have configured certificate mapping to the exact Tenant/M-user certificate of ByD (certificate pinning) you need to map to the renewed Tenant/M-user certificate of ByD tenant after it is available.

Notes :

A) In case you have configured trust to the SAP Cloud Root CA no action is needed.

B) In case you have configured certificate mapping based on Subject and Issuer string no action is needed.

These changes relate to all BYD customers.
If you did not use this certificate anywhere in your communication arrangements for outbound communication, then no action required.

Additional Q&A

1. Do we also need to update the communication arrangements with the external systems?
You need to adjust your communication arrangements with the external systems after you receiving communication from SAP that switch is done on your instance since the old certificate will be invalid after the renewal. Actions mentioned in the blog need to be taken every time of your certification renewal.

2. Do ByD Evaluate a user/CA is set to a specific Outbound/Inbound process?

Currently the ByD does not have this functionality to evaluate if an user/CA is set to a specific Outbound/Inbound process, this is not available in the UI. Post your requirement in the SAP Customer Influence Site: https://influence.sap.com/sap/ino/#/campaign/886

3. If you used any 3rd party integration with sap passport CA G2, then

Go ahead and download the latest passport CA G2 from given link in communication and replace from your end.

4. The validity of the Passport CA G2 trust certificate for both Test and Production environments was initially communicated as extended until 30 Dec 2026. Later, additional updates suggested that this validity could be extended to 30 Dec 2027.

Why are there two different expiry dates (30‑Dec‑2026 vs. 30‑Dec‑2027)?

This difference is expected and normal.

• 30‑Dec‑2027 → SAP Passport CA G2 intermediate (issuing) certificate 
• 30‑Dec‑2026 → tenant-Level (end-entity) 

These belong to different layers of the chain:

Root CA → SAP Passport CA G2 (Intermediate CA) → Tenant Certificate

Intermediate CA certificates always outlive the tenant certificates they issue.
So the difference in expiry dates is fully expected and not a system issue.

5. Will both Tenant certificate and SAP Passport CA G2 intermediate certificate renew automatically?

• Tenant certificate:
  Yes. It renews automatically via SAP's background job process before expiry and No customer action is needed.
• SAP Passport CA G2 intermediate certificate:
  Managed centrally by SAP and No tenant-level renewal is required. 

6. Does the expiry variance require any action?

No, this variance is normal system behavior.

No tenant‑level and application‑level issues. No immediate renewal required.

The tenant certificate will auto‑renew before its expiration date.

7. is any action required from Users?

Action is required only if your integrations directly trust (pin) the SAP Passport CA G2 certificate.

If you use certificate pinning:

• Add the new SAP Passport CA G2 certificate (valid until 30‑Dec‑2027) into your trust store.
• Do NOT remove the currently used certificate.

This ensures seamless validation during the transition.

Renewal of SAP Passport CA certificate , KBA , SRD-CC-SEC , Security , Problem