3706897 - SAP SuccessFactors HCM SSL Certificate DigiCert Global Root G2 CA change to "DigiCert TLS RSA4096 Root G5" – Bizx , LMS , RMK CDN URLS

• SAP SuccessFactors HCM is switching to the "DigiCert TLS RSA4096 Root G5 Public Key Infrastructures (PKI) in April 2026 for Bizx, LMS and RMK CDN URLs.
• You own a custom trust store which contains the "DigiCert Global Root G2" certificate, and you want to add the new "DigiCert TLS RSA4096 Root G5" certificate. Please take the necessary action any time before April 1^st, 2026.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

SAP SuccessFactors will switch to DigiCert G5 which incorporates higher key lengths and stronger HASH algorithm SHA-384.

Customers or their partners solutions who have integrations with SuccessFactors and are using the "DigiCert Global Root G2" certificate presently as part of the same, should follow the required actions to make sure integration continues to work.

Important Note

The impact and actions detailed in this KBA applies only for customers who-

• have built integrations with SuccessFactors modules like LMS, ONB, etc.
  AND
• the integration uses a certificate, DigiCert Global Root G2, either standalone or together with any other SF domain certificates from this KBA 2533915 (certificate pinning) 

The communication & this KBA is sent to all SF customers because SAP does not have visibility on who might be using certificates in integrations with SF. But unless both the above points are met, no action is needed and the communication & this KBA can be ignored.

And customers who do have integrations meeting both the above conditions, will need to take the action stated below.

Action Needed

Subject to the conditions stated in the previous "Important Note" section,

if you have systems in which you manage the trusted certificates yourself, check if the Digicert G2 Root certificate exists in it. If it exists and the usage is related to SAP SuccessFactors, you must add the new G5 certificate to it in order to ensure a seamless transition.

• To download the G5 certificate, go to https://www.digicert.com/kb/digicert-root-certificates.htm
• In the list of certificates, search for DigiCert TLS RSA4096 Root G5.
• Download the appropriate format for your trust store.
• Verify that the fingerprint of the downloaded certificate matches what is given on the website. For openssl, use this command:
  openssl x509 -noout -text -in ./ DigiCertTLSRSA4096RootG5.crt.pem -fingerprint
  Sample output attached as reference.
• Follow the instructions of your trust store to add the CA certificate to it.
• Do not yet remove the G2 certificate as both are needed for the transition period

We advise you to contact your IT department or integration partners to perform above-mentioned checks & required actions any time before April 1st, 2026, if needed. 

Any impact on Recruiting Marketing (RMK) Career Site?

This certificate change notification is not relevant for RMK SSL certificates and currently installed SSL certificates do not need to be updated as they will continue to be supported. The CDN links will continue to be accessible after the change and no action is required.

Only custom integrations, if any, connecting to the site will need to support G5 certificates to ensure there is no service impact.

Additional Calls for Action:

STOP Certificate Pinning

DigiCert has made an announcement on shortening certificate validity to 47 days and the schedule of certificate validity reduction is provided in this article: TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert

Due to the reduction in cert validity starting March 2026 and hence more frequent certificate renewals we inform that customers, subject to the conditions stated in prior "Important Note" section, should stop certificate pinning and the communication related to the cert update from SuccessFactors and the maintenance of this KBA 2533915 will be discontinued in Dec 2026.

DigiCert recommends that you stop pinning and hard-coding root and ICA certificate acceptance. Stopping these practices makes moving to new ICA certificates or root certificate hierarchies easier.

STOP IP Based API calls

To ensure scalability, security, and operational resilience, all API integrations must use Fully Qualified Domain Names (FQDNs) or URLs rather than hardcoded IP addresses. This guideline applies to all environments - development, staging, and production.

• IP addresses can change due to infrastructure upgrades, cloud migrations, or scaling operations.
• FQDNs abstract the underlying infrastructure, allowing seamless changes without the need for reconfiguring the API clients.
• DNS entries often point to multiple backend servers for load balancing. 
• Using FQDNs ensures traffic is distributed efficiently and supports failover mechanism 
• Using FQDNs/URLs is safer as post the IP change, making API calls to IP might not just cause failures but also have potential security risk. 
• FQDNs allow better tracking, logging, and auditing of API traffic. 
• Please refer to this KBA to get the API URL for your instance and replace it with your API clients.

Important: We advise you to contact your IT department or integration partners to perform above-mentioned checks & required actions. Since this is customer IT landscape dependent, SuccessFactors Technical support is unable to provide advice or assistance on whether these actions might be necessary for your organization.

SuccessFactors, Digicert G2, G5 , Certificate Pinning, FQDN URLS, API URLS , KBA , LOD-SF-PLT , Platform Foundational Capabilities , How To