FAQ: DigiCert root and intermediate CA certificate updates

	English	
Deutsch - Machine Translation Español - Machine Translation Français (France) - Machine Translation Italiano - Machine Translation 日本語 - Machine Translation 한국어 - Machine Translation Português (Brasil) - Machine Translation Русский - Machine Translation 简体中文 - Machine Translation

Support Note KB0740165

Symptom

Frequently Asked Questions

Q: Is there an FAQ page provided by Digi Cert?

A: You can access Digi Cert’s FAQ knowledge base here.

Q: How to determine if you are impacted by this change?

A: Since this is an industry wide change, it is likely that you are impacted by the change. Customers should review their current configurations. You will be impacted if you do any of the following:

Pin ICA/Root certificates.
Hard code the acceptance of ICA/Root certificates.
Operate a trust store.

Q: Will Integrated Suite Managed Gateway (formerly SAP Integration Suite, managed gateway for spend management and SAP Business Network) be impacted? Do a Managed Gateway for Spend&Network customer have to trust the new Digicert G2/G3 certificate?

A: Yes, this is applicable to Managed Gateway for Spend&Network as well. Managed Gateway for Spend&Network and authentication through certificate will be impacted by the DigiCert certificate update if you don't trust complete chain (root + intermediate + leaf) when the certificate gets renewed at SAP Integration Suite, managed gateway for spend management and SAP Business Network side.

To support upcoming Ariba side certificate changes, customer has to trust G2 & G3 Root and Intermediate Certificate issued by DigitCert. The same is applicable even if you use Certificate Authentication method.

Q: What action should be taken if a customer’s environment has the above setting?

A: Your internal IT / Security should update the environment - Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).

Q: Can the change first be applied to Test or Dev realm and then on to Production?

A: SAP Ariba is cloud platform, and all the customer environments (Prod, Test and Dev) are hosted on the same servers. Changes are made on the server level therefore changes are applied to all the environments at the same time.

Q: Can a customer get an exact time when the certificate needs to be changed?

A: Both G1 and G2 root and intermediate certificates can co-exist, so you can add the G2 certificates now. Ensure G1 certs are not removed from trust stores.

Q: What is a root, intermediate, and leaf certificate?

A: A certificate path contains the root, intermediate, and leaf certificates. If you open the .crt file that is currently loaded in your system, click on the tab Certification Path, to show the Root, Intermediate, and Leaf certificate (see attached image FAQ DigiCert root and intermediate CA certificate updates.

The certificate on the bottom of the list is considered the leaf certificate. The next one up is the intermediate certificate. The top one is the root certificate. The leaf certificate is provided to the customer on SAP Ariba Public Certificate Downloads. Depending on the customer’s configuration, it may be required to load the root and/or intermediate certificate in addition to the leaf certificate.

Resolution

Make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted.

Attached File



FAQ DigiCert root and intermediate CA certificate updates.png

20.51 KB

Applies To

Procurement Core Platform > Base Framework