To enable a direct HTTPS connection between the SAP system and the AEB data center, you need the 'Root' and 'Intermediates' certificates of the issuing CA.
- Please note: From September 21, 2025, additional certificates will be used for communication with rz3.aeb.de:
| Certificate | Previous certificate | Additional certificate from September 21, 2025 |
| EV Root |
DigiCert High Assurance EV Root CA |
DigiCert Global Root G2 |
| EV Intermediate |
DigiCert SHA2 Extended Validation Server CA |
DigiCert Global G2 TLS RSA SHA256 2020 CA1 |
For information on all currently used certificates, see the Help Center article Hostnames and used certificates of AEB data centers. For more information, see the installation and configuration guide for your application. This is available for you to download from the AEB service portal.
Table of content
Download of new certificates
Importing the new certificates into the SAP system
Changeover in the new production system
FAQ
Download of new certificates
Download the new certificates via these links:
https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem
https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
Alternatively, you can also download the certificates from https://www.digicert.com/kb/digicert-root-certificates.htm. Search there for the following names:
- DigiCert Global G2 TLS RSA SHA256 2020 CA1
- DigiCert Global Root G2
Importing the new certificates into the SAP system
- To import the certificates, start the Trust Manager or transaction STRUST. Switch to change mode.
- Double-click on SSL CLIENT (default). If the connection to the AEB data center has been set up via the SOA Manager, the certificates must also be loaded into the SSL CLIENT (anonymous).
- In the Certificate field group, click the Import certificate button.
- If displayed, select the “binary” for the File format option.
- Select the file with the root certificate for import.
- Next, click Add to certificate list.
- Repeat steps 5 and 6 for the Intermediate certificate.
- Go to the PSE menu and select Distribute all. The certificates are now distributed and installed on all application servers.
- To update the imported certificates in the ICM, start the transaction SMICM, go to the Administration menu, and select ICM – Exit Soft – Global.
Changeover in the production system
Import the new certificates into the SAP production system in good time before the changeover date (June or September 21, 2025).
At the time of the changeover, the trust store in the SAP system will automatically recognize that the new certificates are to be used.
- Keep the previously used certificates in the Trust Manager for a transition phase or longer if you have connections to other systems that use certificate chains. AEB recommends not deleting the old certificates until 6 months after the AEB changeover date.
- In some SAP systems, a certificate revocation check is activated. This is to ensure that a specific certificate has not been revoked by the issuing certification authority (CA). A so-called "Revocation Service" is configured for this purpose. This service must be able to access a valid "Certificate Revocation List" (CRL). If you use this service, you must ensure that the CRL distribution point is accessible and that the CRL is updated regularly. This applies in particular to the production system. When the new certificate is used for the first time, this service will perform a corresponding check.
FAQ
Here you will find a list of answers to frequently asked questions:
I use other middleware in addition to or instead of SAP. Am I still affected by the changeover?
AEB does not know all ERP and middleware systems and their special features. It is advisable to check whether the CA root certificates mentioned are contained in the corresponding trust stores for non-SAP systems as well. In our experience, intermediates should not be necessary here; this is only known from SAP.
I have extended the certificate chain in my SAP system, but problems still occur in the test system/after the conversion from AEB. What else can I do?
Please note that you may also need to extend the certificates in your firewall or proxy.
I have adjusted the certificate chain in the systems that are connected to AEB systems. Do I now have to delete the old certificates?
- Check whether you are still using the certificates for the connection with other systems and if so, keep them.
- If you do not use the certificates in any other system, we recommend keeping them for a transitional period of 6 months after the AEB changeover (21.09.20205).
How long will the newly registered certificates be valid?
A new conversion will probably be necessary in 2029.
Can the new certificates be imported in advance or not until September 21?
You must import the new certificates into all SAP systems in advance, including the production system. You can also use the above-mentioned test option in the production system in advance by temporarily configuring a destination in SM59 or in SOAMANAGER with the test URL. Use the same URL path as in the test system (see section "Optional: Testing the connection with the new certificates"). The certificates are accessed during the connection test from the destination.
Why does the message "Certificate already exists" appear when importing one of the certificates?
It is quite possible that these certificates have already been imported by another request in your system.
These certificates are used in various communication scenarios and are not specific to AEB. If the certificates already exist in your system, you do not need to import them again.
Comments
Please sign in to leave a comment.