2131531 - New Root Certification Authority for Saprouter Certificates
-
Upload
aliciacgsof -
Category
Documents
-
view
293 -
download
1
description
Transcript of 2131531 - New Root Certification Authority for Saprouter Certificates
-
SAP Note
Header Data
Symptom
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 and needs to be replaced.
Effective 04/15/2015 11:00 AM CET
The new SAP SAProuter CA will go-live at SAP. This new SAProuter CA requires software changes as well as a process change at both SAP and at our customers by latest 07/18/2015 11:00 AM CET.
Effective04/15/201511:00AMCETallnewlygeneratedSAProutercertificaterequestswillbesignedbythenewSAProuterCAonly.Inordertocreate a new SAProuter certificate, all customers using SNC connections with SAP must have in place the new SAProuter CA requirements.
Effective 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET:
SAP will provide a transition period from 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET. During this transition period, SAP will support customers SAProuter certificates signed by both the old and the new SAProuter CA.
Effective 07/18/2015 11:00 AM CET:
Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.
Details how to manage setup for the old and new SAProuter CA can be found here:
Installing the sapcrypto library and starting the SAProuter
Other Terms
SAProuter SNC remote connection STFK
Reason and Prerequisites
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) is valid until 07/18/2015 11:00:00 AM CET. After that point in time, certificates signed by that Root CA will not be valid any longer, such that SNC connections will not work. The SAProuter Root CA will be replaced by a new Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE).
SAPwillsigncertificationrequestswiththenewSAProuterRootCAfrom04/15/201511:00AMCET.IfyouapplyforanSAProutercertificateafter04/15/201511:00AMCET,youmustusethelatestCommonCryptoLibrary(usingthelatestSAProuterexecutableisstronglyrecommended).ThesapservXserverswillusetheoldSAProuterCAuntil07/18/201511:00AMCETtoensurethatSAProutersusinganoldSAProutercertificatecan still connect.
Timeline
4/15/201511:00AMCET:switchtonewSAProuterRootCAforcertificationrequests,SAProutercertificatesobtainedbefore04/15/2015canstillbe used 7/18/201511:00AMCET:switchsapservXtousePSEssignedbynewSAProuterCA,SAProutercertificatesobtainedbefore04/15/2015can no longer be used to establish SNC connections with SAP
Solution
ThefollowingstepsneedtobetakenonlyifyouareusingSNCconnectionsbetweenyournetworkandSAP:
Until 04/15/2015 11:00 AM CET
Asstated,certificatessignedbySAPbefore04/15/201511:00AMCETcanbeuseduntil07/18/201511:00AMCET.
After 04/15/2015 11:00 AM CET
AllcertificatessignedbySAPasofthisdate/timestampwillbecreatedusingthenewSAProuterCA.Thisrequireschangesonthecustomersite
2131531 - New Root Certification Authority for saprouter certificates
Version 3 Validity: 18.03.2015 - active Language English (Master)
Released On 24.03.2015 06:10:21 Release Status Released for Customer Component XX-SER-NET-HTL Problems with remote access from SAP to Customer system Priority Hot News Category Installation information
-
so please plan accordingly.
From 04/15/2015 11:00 AM CET until 07/18/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
IfyouapplyforanSAProutercertificateafter04/15/201511:00AMCETthefollowingstepsaremandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048 l ImportoldSAProuterRootCA(thisstepisimportantandnecessarytoestablishthetrustwiththesapservXSAProuteratSAPuntil
07/18/2015)
In addition, using the latest SAProuter version is strongly recommended.
After 07/18/2015 11:00 AM CET
AllcertificatessignedbySAPasofthisdate/timestampwillbecreatedusingthenewSAProuterCA.Thisrequireschangesonthecustomersiteso please plan accordingly.
IfyouapplyforanSAProutercertificateafter07/18/201511:00AMCETthefollowingstepsaremandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048
In addition, using the latest SAProuter version is strongly recommended.
TheSAProuterRootCAcertificateisattachedtothisnote.ForadetaileddescriptionrefertoInstalling the sapcrypto library and starting the SAProuter.
If you have any further questions please open a customer ticket on component XX-SER-NET-HTL.
Validity
This document is not restricted to a software component or software component version
Attachments
File Name File Size (KB) Mime Type
smprootca.der 990 application/x-x509-ca-cert