3446646 - Renewal of SAP Passport CA certificate - SAP Business ByDesign

User wants to renew the SAP Passport CA Certificate or User received an email from SAP to renew the SAP Passport CA Certificate.

This KBA is to give additional insights about this renewal

SAP Business ByDesign

Help Center Documentation

Each SAP Business ByDesign tenant is provisioned with a tenant certificate issued by the SAP Passport CA. The validity period of the tenant certificate is 1 year. For the functioning of the communications relying on the tenant certificate, it's mandatory to upload the valid certificate after renewal every year to the relevant target systems.

You can view the tenant certificate from Application and User Management -> Common Tasks -> Edit Certificate Trust List -> View Tenant Certificate.

You can download the tenant certificate from Application and User Management -> Communication Certificates -> Download Tenant Certificate.

For more details, refer to the documentation Renewal of Tenant Certificate

Blog

To know the changes & impacts, actions and details in terms of Integration, refer to the blog Renewal of Tenant Certificate

This blog also have a FAQ which clarifies questions around this topic.

Overview

What is Single Sign-On with SAP Passports?

Refer to the detailed documentation 

KBA

3336913 - Tenant Certificate Details in SAP Business ByDesign

3366283 - System throws Error Message 'Certificate already exists'

Email Communication

If you receive an Email from SAP to renew the SAP CA Certificate, then follow the below instructions:

Immediate action Required:

In case you have configured direct trust to the current SAP Passport CA G2, the new SAP Passport CA G2 certificate with the extended validity date must be added in to your trust list to avoid any disruptions in the integrations.

It is already available for download from here. 

In case you have configured certificate mapping to the exact Tenant/M-user certificate of ByD (certificate pinning) you need to map to the renewed Tenant/M-user certificate of ByD tenant after it is available.

Notes:

A) In case you have configured trust to the SAP Cloud Root CA no action is needed.

B) In case you have configured certificate mapping based on Subject and Issuer string no action is needed.

These changes relate to all BYD customers.
If you did not use this certificate anywhere in your communication arrangements for outbound communication then no action required.

Additional Q&A

1. Do we also need to update the communication arrangements with the external systems?
You need to adjust your communication arrangements with the external systems after you receiving communication from SAP that switch is done on your instance since the old certificate will be invalid after the renewal. Actions mentioned in the blog need to be taken every time of your certification renewal.

2. Do ByD Evaluate an user/CA is set to a specific Outbound/Inbound process?

Currently the ByD does not have this functionality to evaluate if an user/CA is set to a specific Outbound/Inbound process, this is not available in the UI. Post your requirement in the SAP Customer Influence Site: https://influence.sap.com/sap/ino/#/campaign/886

3. If you used any 3rd party integration with sap passport CA G2,  then

Go ahead and download the latest passport CA G2 from given link in communication and replace from your end.

Renewal of SAP Passport CA certificate,  , KBA , SRD-CC-SEC , Security , Problem