DigiCert root and intermediate CA certificate updates

Dear SAP Ariba Customer,

PLEASE DISTRIBUTE THIS MESSAGE TO THE IT / NETWORK / SECURITY DEPARTMENT IN YOUR ORGANIZATION

The RSA and ECC certificates updated by SAP Ariba and SAP Business Network will be supported by DigiCert’s G2 & G3 root and intermediate CA certificates. Even if your integration only uses the RSA cert, both the G2 and G3 root certs should be added to the trust store. You can identify whether you use RSA or ECC certificates by referring General Security and Certificate Questions.

Please Note: SAP provides the root, intermediate and leaf/client certificates (full chain) of G2/G3 in all certificate files. The root and intermediate certificates will be updated on a certificate-by-certificate basis. While installing the full certificate chain provided by SAP would suffice in most cases, customers are requested to review DigiCert's guidelines (links below) to ensure compliance specific to your system landscape.

WHY ARE WE CHANGING

This is part of an industry-wide change where your browser will begin distrusting older DigiCert G1 root certificates in 2025. The upgrade to G2 and G3 has been timed in 2024 to ensure your existing certificates (with 1 year validity) will not be affected by the browser’s distrust policy.

CALL TO ACTION

Customers should review their current configurations. You will be impacted if you do any of the following:

Pin ICA/Root certificates.
Hard code the acceptance of ICA/Root certificates.
Operate a trust store.

We recommend to stop pinning or hard-coding root or ICA certificate. If you operate a trust store, make the necessary changes to ensure certificates issued from the G2 (or G3) certificate hierarchies are trusted.

You can find the G2 certificates (corresponding to G1 certificates currently existing in your landscape) in Digicert Knowledge Base (see table below the header: March 8, 2023, ICA/Root Replacements). You may download the new G2 and G3 certificates corresponding to G1 from DigiCert Trusted Root Authority Certificates.

Add the new G2 and G3 certificate hierarchies to your trust stores.

Do not remove the current G1 certificates from the trust stores as SAP certificates updated until January 2024 (with 1 year validity until January 2025) will still use G1 certificates.

Both G1, G2 and G3 certificates can co-exist, so you can add the G2 and G3 certificates without removing the G1 certificate. The need is an addition of G2/G3, not a removal of G1.

For additional details, please review the DigiCert root and intermediate CA certificate updates FAQ.

If you have any questions regarding the information contained in this message, please contact Digi Cert Support or create a case via SAP Ariba Connect or contact your company’s Designated Support Contact. Please do not reply to this email as this mailbox is not monitored.