3626800 - SAP SuccessFactors HCM SSL Certificate DigiCert Global Root CA change to "DigiCert TLS RSA4096 Root G5"

• SAP SuccessFactors HCM is switching to the "DigiCert TLS RSA4096 Root G5 Public Key Infrastructures (PKI).
• You own a custom trust store which contains the "DigiCert Global Root G2" certificate, and you want to add the new "DigiCert TLS RSA4096 Root G5" certificate.

Note: This is applicable for KSA Migration (DC23) customers only. The required actions need to be taken any time before September 1st, 2025. 

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

To comply with the Kingdom of Saudi Arabia’s National Cybersecurity Authority (NCA), SAP SuccessFactors will switch to DigiCert G5. DigiCert G5 incorporates higher key lengths and stronger HASH algorithm SHA-384.

Call for Action:

If you have systems in which you manage the trusted certificates yourself, check if the Digicert G2 Root certificate exists in it. If it exists and the usage is related to SAP SuccessFactors, please add the G5 Root certificate “DigiCert TLS RSA4096 Root G5” to it.

1. To download the G5 certificate, go to https://www.digicert.com/kb/digicert-root-certificates.htm
2. In the list of certificates, search for DigiCert TLS RSA4096 Root G5.
3. Download the appropriate format for your trust store.
4. Verify the fingerprint of the downloaded certificate matches what is given on the website. Reference fingerprint attached to this KBA, file- fingerprint.txt 
   Example of how this verification can be done via OpenSSL command: 
   • openssl x509 -noout -text -in ./ DigiCertTLSRSA4096RootG5.crt.pem -fingerprint
5. Follow the instructions of your trust store to add the CA certificate to it. Do not yet remove the G2 certificate as both are needed for the transition period. 

STOP Certificate Pinning

DigiCert has made an announcement on shortening certificate validity to 47 days and the schedule of certificate validity reduction is provided in this article: TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert.

Due to this reduction in certificate validity starting March 2026 and hence more frequent certificate renewals, please take note of the following- 

1. Certificate pinning should be stopped.
   As part of the DigiCert G5 Rollout, customers should not pin the certificate. DigiCert recommends that you stop pinning and hard-coding root and ICA certificate acceptance. Stopping these practices makes moving to new ICA certificates or root certificate hierarchies easier.
   
   
2. Our communications related to the certificate updates from SuccessFactors, and the maintenance of corresponding KBA 2533915, will be discontinued in 2026.

STOP IP Based API calls 

• · To ensure scalability, security, and operational resilience, all API integrations must use Fully Qualified Domain Names (FQDNs) or URLs rather than hardcoded IP addresses. This guideline applies to all environments - development, staging, and production.
• · IP addresses can change due to infrastructure upgrades, cloud migrations, or scaling operations.
• · FQDNs abstract the underlying infrastructure, allowing seamless changes without the need for reconfiguring the API clients.
• · DNS entries often point to multiple backend servers for load balancing.
• · Using FQDNs ensures traffic is distributed efficiently and supports failover mechanism
• · Using FQDNs/URLs is safer as post the IP change, making API calls to IP might not just cause failures but also have potential security risk.
• · FQDNs allow better tracking, logging, and auditing of API traffic. · Please refer to this KBA to get the API URL for your instance and replace it with your API clients.

We advise you to contact your IT department to perform above mentioned checks & required actions, any time before September 1st, 2025, if needed.

Note: SuccessFactors Support team does not possess the specific knowledge required to guide or assist in the validation or installation of these certificates on third-party servers or tools.

Certificate,SSL,Digicert,G1,G2,G5,Root , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To