2131531 - New Root Certification Authority for Saprouter Certificates
2
SAP Note Header Data Symptom The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 and needs to be replaced. Effective 04/15/2015 11:00 AM CET The new SAP SAProuter CA will go-live at SAP. This new SAProuter CA requires software changes as well as a process change at both SAP and at our customers by latest 07/18/2015 11:00 AM CET. Effective 04/15/2015 11:00 AM CET all newly generated SAProuter certificate requests will be signed by the new SAProuter CA only. In order to create a new SAProuter certificate, all customers using SNC connections with SAP must have in place the new SAProuter CA requirements. Effective 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET: SAP will provide a transition period from 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET. During this transition period, SAP will support customers SAProuter certificates signed by both the old and the new SAProuter CA. Effective 07/18/2015 11:00 AM CET: Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on. Details how to manage setup for the old and new SAProuter CA can be found here: Installing the sapcrypto library and starting the SAProuter Other Terms SAProuter SNC remote connection STFK Reason and Prerequisites The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) is valid until 07/18/2015 11:00:00 AM CET. After that point in time, certificates signed by that Root CA will not be valid any longer, such that SNC connections will not work. The SAProuter Root CA will be replaced by a new Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE). SAP will sign certification requests with the new SAProuter Root CA from 04/15/2015 11:00 AM CET. If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET, you must use the latest Common Crypto Library (using the latest SAProuter executable is strongly recommended). The sapservX servers will use the old SAProuter CA until 07/18/2015 11:00 AM CET to ensure that SAProuters using an old SAProuter certificate can still connect. Timeline 4/15/2015 11:00 AM CET: switch to new SAProuter Root CA for certification requests, SAProuter certificates obtained before 04/15/2015 can still be used 7/18/2015 11:00 AM CET: switch sapservX to use PSEs signed by new SAProuter CA, SAProuter certificates obtained before 04/15/2015 can no longer be used to establish SNC connections with SAP Solution The following steps need to be taken only if you are using SNC connections between your network and SAP: Until 04/15/2015 11:00 AM CET As stated, certificates signed by SAP before 04/15/2015 11:00 AM CET can be used until 07/18/2015 11:00 AM CET. After 04/15/2015 11:00 AM CET All certificates signed by SAP as of this date/time stamp will be created using the new SAProuter CA. This requires changes on the customer site 2131531 - New Root Certification Authority for saprouter certificates Version 3 Validity: 18.03.2015 - active Language English (Master) Released On 24.03.2015 06:10:21 Release Status Released for Customer Component XX-SER-NET-HTL Problems with remote access from SAP to Customer system Priority Hot News Category Installation information
-
Upload
aliciacgsof -
Category
Documents
-
view
293 -
download
1
description
2131531 - New Root Certification Authority for Saprouter Certificates
Transcript of 2131531 - New Root Certification Authority for Saprouter Certificates
-
SAP Note
Header Data
Symptom
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) will expire 07/18/2015 and needs to be replaced.
Effective 04/15/2015 11:00 AM CET
The new SAP SAProuter CA will go-live at SAP. This new SAProuter CA requires software changes as well as a process change at both SAP and at our customers by latest 07/18/2015 11:00 AM CET.
Effective04/15/201511:00AMCETallnewlygeneratedSAProutercertificaterequestswillbesignedbythenewSAProuterCAonly.Inordertocreate a new SAProuter certificate, all customers using SNC connections with SAP must have in place the new SAProuter CA requirements.
Effective 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET:
SAP will provide a transition period from 04/15/2015 11:00 AM CET through 07/18/2015 11:00 AM CET. During this transition period, SAP will support customers SAProuter certificates signed by both the old and the new SAProuter CA.
Effective 07/18/2015 11:00 AM CET:
Certificates obtained before 04/15/2015 11:00 AM CET will no longer be supported. Only certificates issued by the new SAProuter CA will be accepted from this point on.
Details how to manage setup for the old and new SAProuter CA can be found here:
Installing the sapcrypto library and starting the SAProuter
Other Terms
SAProuter SNC remote connection STFK
Reason and Prerequisites
The SAProuter Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE) is valid until 07/18/2015 11:00:00 AM CET. After that point in time, certificates signed by that Root CA will not be valid any longer, such that SNC connections will not work. The SAProuter Root CA will be replaced by a new Root CA (CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE).
SAPwillsigncertificationrequestswiththenewSAProuterRootCAfrom04/15/201511:00AMCET.IfyouapplyforanSAProutercertificateafter04/15/201511:00AMCET,youmustusethelatestCommonCryptoLibrary(usingthelatestSAProuterexecutableisstronglyrecommended).ThesapservXserverswillusetheoldSAProuterCAuntil07/18/201511:00AMCETtoensurethatSAProutersusinganoldSAProutercertificatecan still connect.
Timeline
4/15/201511:00AMCET:switchtonewSAProuterRootCAforcertificationrequests,SAProutercertificatesobtainedbefore04/15/2015canstillbe used 7/18/201511:00AMCET:switchsapservXtousePSEssignedbynewSAProuterCA,SAProutercertificatesobtainedbefore04/15/2015can no longer be used to establish SNC connections with SAP
Solution
ThefollowingstepsneedtobetakenonlyifyouareusingSNCconnectionsbetweenyournetworkandSAP:
Until 04/15/2015 11:00 AM CET
Asstated,certificatessignedbySAPbefore04/15/201511:00AMCETcanbeuseduntil07/18/201511:00AMCET.
After 04/15/2015 11:00 AM CET
AllcertificatessignedbySAPasofthisdate/timestampwillbecreatedusingthenewSAProuterCA.Thisrequireschangesonthecustomersite
2131531 - New Root Certification Authority for saprouter certificates
Version 3 Validity: 18.03.2015 - active Language English (Master)
Released On 24.03.2015 06:10:21 Release Status Released for Customer Component XX-SER-NET-HTL Problems with remote access from SAP to Customer system Priority Hot News Category Installation information
-
so please plan accordingly.
From 04/15/2015 11:00 AM CET until 07/18/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
IfyouapplyforanSAProutercertificateafter04/15/201511:00AMCETthefollowingstepsaremandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048 l ImportoldSAProuterRootCA(thisstepisimportantandnecessarytoestablishthetrustwiththesapservXSAProuteratSAPuntil
07/18/2015)
In addition, using the latest SAProuter version is strongly recommended.
After 07/18/2015 11:00 AM CET
AllcertificatessignedbySAPasofthisdate/timestampwillbecreatedusingthenewSAProuterCA.Thisrequireschangesonthecustomersiteso please plan accordingly.
IfyouapplyforanSAProutercertificateafter07/18/201511:00AMCETthefollowingstepsaremandatory:
l Use latest Common Crypto Library l Use a PSE with a key size of 2048
In addition, using the latest SAProuter version is strongly recommended.
TheSAProuterRootCAcertificateisattachedtothisnote.ForadetaileddescriptionrefertoInstalling the sapcrypto library and starting the SAProuter.
If you have any further questions please open a customer ticket on component XX-SER-NET-HTL.
Validity
This document is not restricted to a software component or software component version
Attachments
File Name File Size (KB) Mime Type
smprootca.der 990 application/x-x509-ca-cert
