SAP Note

Header Data

Symptom

The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 and needs to be replaced.

Effective 04/15/2015 11:00 AM CET

The new SAP SAProuter CA will go-live at SAP. This new SAProuter CA requires software changes as well as a process change at both SAP and at our customers by latest 07/18/2015 11:00 AM CET.

Effective 04/15/2015 11:00 AM CET all newly generated SAProuter certificate requests will be signed by the new SAProuter CA only.  In order to create a new SAProuter certificate, all customers using SNC connections with SAP must have in place the new SAProuter CA requirements.

Effective 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET:

SAP will provide a transition period from 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET. During this transition period, SAP will support customers SAProuter certificates signed by both the old and the new SAProuter CA.

Effective 07/18/2015 11:00 AM CET:

Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.

Details how to manage setup for the old and new SAProuter CA can be found here:

Installing the sapcrypto library and starting the SAProuter 

Other Terms

SAProuter SNC remote connection STFK

Reason and Prerequisites

The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) is valid until 07/18/2015 11:00:00 AM CET. After that point in time, certificates signed by that Root CA will not be valid any longer, such that SNC connections will not work. The SAProuter Root CA will be replaced by a new Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE).

SAP will sign certification requests with the new SAProuter Root CA from 04/15/2015 11:00 AM CET. If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET, you must use the latest Common Crypto Library (using the latest SAProuter executable is strongly recommended). The sapservX servers will use the old SAProuter CA until 07/18/2015 11:00 AM CET to ensure that SAProuters using an old SAProuter certificate can still connect.

Timeline

4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests, SAProuter certificates obtained before 04/15/2015 can still be used 7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA, SAProuter certificates obtained before 04/15/2015 can no longer be used to establish SNC connections with SAP

Solution

The following steps need to be taken only if you are using SNC connections between your network and SAP:

Until 04/15/2015 11:00 AM CET

As stated, certificates signed by SAP before 04/15/2015 11:00 AM CET can be used until 07/18/2015 11:00 AM CET.

After 04/15/2015 11:00 AM CET

All certificates signed by SAP as of this date/time stamp will be created using the new SAProuter CA. This requires changes on the customer site 

    2131531 - New Root Certification Authority for saprouter certificates  

Version   2     Validity: 10.03.2015 - active   Language   English (Master)

Released On 10.03.2015 07:33:42

Release Status Released for Customer

Component XX-SER-NET-HTL Problems with remote access from SAP to Customer system

Priority Hot News

Category Installation information

so please plan accordingly.

From 04/15/2015 11:00 AM CET until 07/18/2015 11:00 AM CET

All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.

If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:

l Use latest Common Crypto Library l Use a PSE with a key size of 2048 l Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 

07/18/2015)

In addition, using the latest SAProuter version is strongly recommended.

After 07/18/2015 11:00 AM CET

All certificates signed by SAP as of this date/time stamp will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.

If you apply for an SAProuter certificate after 07/18/2015 11:00 AM CET the following steps are mandatory:

l Use latest Common Crypto Library l Use a PSE with a key size of 2048

In addition, using the latest SAProuter version is strongly recommended.

The SAProuter Root CA certificates are available from here. For a detailed description refer to Installing the sapcrypto library and starting the SAProuter.

If you have any further questions please open a customer ticket on component XX-SER-NET-HTL.

Validity

This document is not restricted to a software component or software component version

Attachments

File Name File Size (KB) Mime Type

smprootca.der 990 application/x-x509-ca-cert