Skip to main content
Deutsch English

Extension of SSL certificates for SAP systems - new certificate chain from December 11, 2025

Greta Antoniadis
  • Updated

The change affects your system environment if the following criteria apply:

  • You work with the AEB Cloud TMS solution (“nXt”) with the URL https://*.nxt.aeb.com
  • Your SAP system communicates directly with the AEB Cloud TMS solution via HTTPS, i.e., without the use of middleware

If these criteria apply, you will need a new ‘root’ and a new ‘intermediate’ certificate from the issuing CA in your SAP system.

  • Please note: From December 11, 2025, additional certificates will be used for communication with *.nxt.aeb.com 
Certificate Previous certificate Additional certificate from December 11, 2025
Root USERTrust RSA Certification Authority Sectigo Public Server Authentication Root R46
Intermediate Sectigo RSA Domain Validation Secure Server CA Sectigo Public Server Authentication CA DV R36

For information on all currently used certificates, see the Help Center article Hostnames and used certificates of AEB data centers. For more information, see the installation and configuration guide for your application. This is available for you to download from the AEB service portal.

Table of content

Download of new certificates

Importing the new certificates into the SAP system

Changeover in the new production system

FAQ

Download of new certificates

Download the new certificates via these links:

Importing the new certificates into the SAP system

  1. To import the certificates, start the Trust Manager or transaction STRUST. Switch to change mode.
  2. Double-click on SSL CLIENT (default). If the connection to the AEB data center has been set up via the SOA Manager, the certificates must also be loaded into the SSL CLIENT (anonymous).
  3. In the Certificate field group, click the Import certificate button.
  4. If displayed, select the “binary” for the File format option.
  5. Select the file with the root certificate for import.
  6. Next, click Add to certificate list.
  7. Repeat steps 5 and 6 for the Intermediate certificate.
  8. Go to the PSE menu and select Distribute all. The certificates are now distributed and installed on all application servers.
  9. To update the imported certificates in the ICM, start the transaction SMICM, go to the Administration menu, and select ICM – Exit Soft – Global.

Changeover in the production system

Import the new certificates into the SAP production system in good time before the changeover date (December 11, 2025).

At the time of the changeover, the trust store in the SAP system will automatically recognize that the new certificates are to be used.

  • Keep the previously used certificates in the Trust Manager for a transition phase or longer if you have connections to other systems that use certificate chains. AEB recommends not deleting the old certificates until 6 months after the AEB changeover date.
  • In some SAP systems, a certificate revocation check is activated. This is to ensure that a specific certificate has not been revoked by the issuing certification authority (CA). A so-called "Revocation Service" is configured for this purpose. This service must be able to access a valid "Certificate Revocation List" (CRL). If you use this service, you must ensure that the CRL distribution point is accessible and that the CRL is updated regularly. This applies in particular to the production system. When the new certificate is used for the first time, this service will perform a corresponding check.

FAQ

Here you will find a list of answers to frequently asked questions:

I use other middleware in addition to or instead of SAP. Am I still affected by the changeover?

AEB does not know all ERP and middleware systems and their special features. It is advisable to check whether the CA root certificates mentioned are contained in the corresponding trust stores for non-SAP systems as well. In our experience, intermediates should not be necessary here; this is only known from SAP.

I have extended the certificate chain in my SAP system, but problems still occur in the test system/after the conversion from AEB. What else can I do?

Please note that you may also need to extend the certificates in your firewall or proxy.

I have adjusted the certificate chain in the systems that are connected to AEB systems. Do I now have to delete the old certificates?

  1. Check whether you are still using the certificates for the connection with other systems and if so, keep them. 
  2. If you do not use the certificates in any other system, we recommend keeping them for a transitional period of 6 months after the AEB changeover (December 11, 2025).

How long will the newly registered certificates be valid?

A new conversion will probably be necessary in 2029.

Can the new certificates be imported in advance or not until December 11, 2025?

You must import the new certificates into all SAP systems in advance, including the production system. 

Why does the message "Certificate already exists" appear when importing one of the certificates?

It is quite possible that these certificates have already been imported by another request in your system.

These certificates are used in various communication scenarios and are not specific to AEB. If the certificates already exist in your system, you do not need to import them again.

Related articles

Comments

Please sign in to leave a comment.