Change to the required SSL certificates for SAP systems

To enable a direct HTTPS connection between SAP systems and the AEB data center, you need the ‘Root-SSL’ and ‘Intermediate’ certificates issued by AEB.

• Please note: From September 21, 2025, additional certificates will be used for communication with rz3.aeb.de:

For information on all currently used certificates, see the Help Center article Hostnames and used certificates of AEB data centers. For more information, see the installation and configuration guide for your application. This is available for you to download from the AEB service portal.

Table of content

Download of new certificates

Importing the new certificates into the SAP system

Optional: Testing the connection with the new certificates

Changeover in the new production system

FAQ

Download of new certificates

Download the new certificates via these links:

https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem

https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem

Alternatively, you can also download the certificates from https://www.digicert.com/kb/digicert-root-certificates.htm. Search there for the following names:

• DigiCert Global G2 TLS RSA SHA256 2020 CA1
• DigiCert Global Root G2

Importing the new certificates into the SAP system

1. To import the certificates, start the Trust Manager or transaction STRUST. Switch to change mode.
2. Double-click on SSL CLIENT (default). If the connection to the AEB data center has been set up via the SOA Manager, the certificates must also be loaded into the SSL CLIENT (anonymous).
3. In the Certificate field group, click the Import certificate button.
4. If displayed, select the “binary” for the File format option.
5. Select the file with the root certificate for import.
6. Next, click Add to certificate list.
7. Repeat steps 5 and 6 for the Intermediate certificate.
8. Go to the PSE menu and select Distribute all. The certificates are now distributed and installed on all application servers.
9. To update the imported certificates in the ICM, start the transaction SMICM, go to the Administration menu, and select ICM – Exit Soft – Global.

Optional: Testing the connection with the new certificates

Test the connection with the extended certificates before the changeover on September 21, 2025 in the test environment. AEB provides new URLs for the test systems for this purpose. To access rz3-test.aeb.de from your SAP, your firewall and/or proxy systems may need to be supplemented if only rz3.aeb.de has been included as a permitted target. We generally recommend activating all AEB subnets, see here.

• Requirements:

1. You know your login data for the application.
2. The previous URL for the AEB test system begins with rz3.aeb.de. Also these special URLs are only available for certain applications:
   • Carrier Cloud for SAP
   • Customs Management (Direct Filing, Broker)
   • Import Filing: ATLAS
   • Export Filing: ATLAS
   • EMCS
   • Monitoring & Alerting
   • Product Classification
   • Origin & Preferences
   • Trade Compliance Management

Proceed as follows if you want to use this option:

1. Load the new certificates into the Trust Manager of the SAP test system (see above).
2. Open the configured connection to the AEB data center there, either in the SOA Manager or in transaction SM59. You can find the name of the connection in the AEB Cockpit, on the Customizing sheet.
3. In the URL of the connection, change the value "rz3.aeb.de” to “rz3-test.aeb.de” and save the change.
4. User and password do not change. If necessary, enter these values again if they were reset when the connection was saved.
5. Test the connection using the connection test in the AEB Cockpit.
6. After the successful test, switch back to the original URL – this special test environment will be deactivated after the changeover in September.

Changeover in the production system

Import the new certificates into the SAP production system in good time before the changeover date (September 21, 2025).

At the time of the changeover, the trust store in the SAP system will automatically recognize that the new certificates are to be used.

• Keep the previously used certificates in the Trust Manager for a transition phase or longer if you have connections to other systems that use certificate chains. AEB recommends not deleting the old certificates until 6 months after the AEB changeover date.

FAQ

Here you will find a list of answers to frequently asked questions:

I use other middleware in addition to or instead of SAP. Am I still affected by the changeover?

AEB does not know all ERP and middleware systems and their special features. It is advisable to check whether the CA root certificates mentioned are contained in the corresponding trust stores for non-SAP systems as well. In our experience, intermediates should not be necessary here; this is only known from SAP.

I have extended the certificate chain in my SAP system, but problems still occur in the test system/after the conversion from AEB. What else can I do?

Please note that you may also need to extend the certificates in your firewall or proxy.

I have adjusted the certificate chain in the systems that are connected to AEB systems. Do I now have to delete the old certificates?

1. Check whether you are still using the certificates for the connection with other systems and if so, keep them. 
2. If you do not use the certificates in any other system, we recommend keeping them for a transitional period of 6 months after the AEB changeover (21.09.20205).