3458500 - DigiCert Global Root CA change for SAP Analytics Cloud (SAC)

• You received an announcement stating that DigiCert will stop signing certificates with the root certificate authority (CA) "DigiCert Global Root CA" and you want to connect your client to a domain offering a certificate signed by the new root CA "DigiCert Global Root G2"
• You are calling public APIs (REST API, URL API)  of SAP Analytics Cloud
• You are using OAuth client of SAP Analytics Cloud

• SAP Analytics Cloud, Enterprise Edition
• Non-SAP Data Center (Cloud Foundry, CF)

• To avoid issues when commonly used browsers such as Mozilla Firefox and Google Chrome distrust older root certificates, DigiCert will begin updating their first generation (G1) certificates to second-generation (G2) certificates. For more information, see https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html.
• As per SAP KBA 3327214 and SAP technology blog, SAP BTP, Cloud Foundry environment has switched to the G2 intermediate certificate authority (ICA) and deployed certificates signed by the new CA for all platform domains, including SAC domains listed as below (at least but not limited):
  • *.analytics.cloud.sap
  • *.analytics.sapcloud.cn
  • *.hanacloudservices.cloud.sap
  • *.hcs.cloud.sap
  • *.projectorca.cloud
  • *.sapanalytics.cloud
  • *.sapanalyticscloud.cn
  • *.sapbusinessobjects.cloud
  • *.cf.<Region>.hana.ondemand.com 
  • *.accounts.ondemand.com
  • *.authentication.<Region>.hana.ondemand.com
  • *.accounts.sapcloud.cn
  • *.authentication.cn40.platform.sapcloud.cn

If you manage the trust stores of your client, you must ensure that the new root certificate is added to the certificate trust store.

For your client to use the trusted certificate authorities, you must modify your certificate trust store to include the old (DigiCert Global Root CA) and the new (DigiCert Global Root G2) root certificate.

To do so, complete the following steps:

1. Go to https://www.digicert.com/kb/digicert-root-certificates.htm. 
2. In the list of certificates, search for DigiCert Global Root G2, download the PEM file, and put it into your trust store. 
3. Your trust store must include the old CA, DigiCert Global Root CA, as well as the new CA, DigiCert Global Root G2.  

To check whether you client trusts DigiCert Global Root G2, you can use this test page: https://global-root-g2.chain-demos.digicert.com/.

• 3327214 - Root Certificate Replacement in the SAP BTP, Cloud Foundry Environment
• Changing the SAP BTP Cloud Foundry environment Root Certificate Authority
• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening a case for SAP Analytics Cloud?
• 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
• Search for SAP Analytics Cloud content using SAP for Me, Google or Bing:
  • https://me.sap.com/servicessupport/search#?q=SAP%20Analytics%20Cloud%20OR%20SAC&tab=All
  • https://www.google.com/search?q=site%3Ahttps%3A%2F%2Fuserapps.support.sap.com+SAP+Analytics+Cloud
  • https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fuserapps.support.sap.com+SAP+Analytics+Cloud
  • Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud Connection Guide
• Getting Started with SAP Analytics Cloud Expert Community page
• SAP Analytics Cloud Get More Help and SAP Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Planning, Cloud for Analytics, C4P, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, HCP, C4A, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJ, BOBJcloud, BOCloud., BICloud, BO Cloud, SAC, BTP, CF, SSL, Certificate, CERT, authority, CA, Root, DigiCert, G1, G2 , KBA , LOD-ANA-ADM , SAC Administration , LOD-ANA-DES-URLAPI , SAP Analytics Cloud Story related URL parameters API , LOD-ANA-LS , Licensing and Full User Equivalent , LOD-ANA-GTW , Gateway for SAP Analytics Cloud API , Product Enhancement