Merge pull request #1765 from sap-alex-oliveira/main

sap-alex-oliveira · web-flow · commit eef4ad1dba19 · 2026-03-31T16:25:27.000-03:00
create SSL Certificates Renewal release note
diff --git a/src/tools-support/release-notes/api/2026-03-03.md b/src/tools-support/release-notes/api/2026-03-03.md
@@ -6,6 +6,116 @@ layout: reference
 
 ## New This Month
 
+### Preview: SSL Certificates Renewal for `*.concursolutions.com` and `*api.concursolutions.com`
+
+Due to industry-wide changes implemented by our Certificate Authority, DigiCert, the maximum validity period for publicly trusted TLS certificates has been reduced to 199 days. As a result, SAP Concur certificates will be renewed more frequently than in previous years. SAP Concur plans to renew the certificates for `*.concursolutions.com` and `*api.concursolutions.com` in May 2026.
+
+Additional information about the 199-day certificate validity period is available in the documentation provided by [DigiCert](https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates).
+
+> Note: This change is part of broader security improvements across the industry and has no impact on the security, availability, or trust of SAP Concur services.
+
+**End-User Experience**
+
+The current certificates will expire as follows:
+
+- June 4, 2026 23:59 GMT for `*.api.concursolutions.com`
+
+- June 5, 2026 23:59 GMT for `*.concursolutions.com`
+
+SAP Concur will renew it ahead of this date to ensure continued service availability.
+
+New certificates are planned to be issued as follows:
+
+- 10PM PDT on May 13 2026 for `*.api.concursolutions.com`
+
+- 10PM PDT on May 20, 2026 for `*.concursolutions.com`
+
+**Certificate Updates**
+As a part of this renewal, the following updates will be introduced:
+
+`*.api.concursolutions.com`
+
+- As part of the recent DigiCert account migration from SAP Concur to SAP, the **organization information** associated with *.api.concursolutions.com certificates has been updated. For details, please refer to the **Certificates Download Links** section below.
+
+- This change affects only the certificate metadata and does not impact service functionality or security.
+
+`*.concursolutions.com`
+
+- The Client Authentication extended key usage has been removed from the certificate.
+
+- This extension was not used as the certificate functions as a TLS server certificate for server authentication only. Its removal does not impact service functionality.
+
+- For additional information on certificate extended key usage, please refer to the documentation from [DigiCert](https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates).
+
+**Certificate Pinning Guidance**
+
+Clients who have not pinned the expiring certificate do not need to take any action as their expiring certificate will be renewed automatically. **Most clients do not pin the certificate**.
+
+SAP ICS customers who follow the certificate handling processes described in the following note do not need to take any action:
+
+[2914977 - FAQ: Concur Certificates, Authentication, and Connectivity](https://launchpad.support.sap.com/#/notes/2914977).
+
+Clients who have pinned an expiring certificate must update to the new certificate before it is issued at
+
+- 10PM PDT on May 13 2026 `*.api.concursolutions.com`
+
+- 10PM PDT May 20, 2026 `*.concursolutions.com`
+
+
+> Note: Certificate pinning is not recommended, and you do so at your own risk.
+> To support security for SAP Concur solutions, security certificates are renewed regularly. Pinned certificates are not renewed automatically and, if a pinned certificate is not renewed before it expires, the pinned certificate can cause a disruption of service.
+
+> Recommendation: If your implementation requires certificate pinning, we strongly recommend pinning the Root CA certificate, rather than the leaf/end certificate.
+> Pinning the leaf/end certificate may result in service disruption due to the shorter renewal cycle. Pinning to the Root CA provides greater stability while maintaining security.
+
+**Certificate Download Links**
+
+To avoid disruption of service, clients who pin their security certificates must pin both the RSA and ECDSA certificates. Clients may obtain the new certificates from the following web pages.
+
+These are **root and intermediate certificates** for both `*.concursolutions.com` and `*.api.concursolutions.com`.
+
+**RSA Certificates Download Links**
+
+- Intermediate: [DigiCert Global G2 TLS RSA SHA256 2020 CA1](https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem?_gl=1*i7c9wi*_gcl_au*MTI2NjY3MzYyMC4xNzMyNTAwNTAw)
+
+- Root: [DigiCert Global Root G2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem?_gl=1*102cn1j*_gcl_au*MTI2NjY3MzYyMC4xNzMyNTAwNTAw)
+
+**ECDSA Certificates Download Links**
+
+- Intermediate: [DigiCert Global G3 TLS ECC SHA384 2020 CA1](https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt.pem?_gl=1*htixu2*_gcl_au*MTY5MjI4Mjk2Ni4xNzQzOTg1ODYz)
+
+- Root: [DigiCert Global Root G3](https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem?utm_medium=organic&utm_source=google&referrer=https://www.google.com/&_gl=1*1ouisuk*_gcl_au*MTUwNDgyOTI5OS4xNzQxMjQ2NDEy)
+
+**Certificate Chain** consists of end-entity, Intermediate and Root certificates respectively.
+
+When opening the following links, open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.
+
+***.api.concursolutions.com**
+
+- https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_ECDSA.pem
+
+- https://assets.concur.com/concurtraining/cte/en-us/api-concursolutions-com-chain_RSA.pem
+
+> Note: For `*.api.concursolutions.com` organization change, the changes are as follows:
+> From:
+> `subject: C=US, ST=Washington, L=Bellevue, O=Concur Technologies, Inc.,`
+> To: 
+> `subject=C=DE, ST=Baden-Württemberg, L=Walldorf, O=SAP SE`
+> This is an internal administrative change and does not affect certificate validity or functionality. 
+> The certificate used for ***.api.concursolutions.com** currently retains a **one-year validity period**, as it was renewed prior to the certificate validity policy change implemented by DigiCert. Future renewals will follow the updated validity requirements.
+
+***.concursolutions.com**
+
+- https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_ECDSA.pem
+
+- https://assets.concur.com/concurtraining/cte/en-us/concursolutions-com-chain_RSA.pem
+
+You can access and test the certificates by following the instructions in [Concur Shared Release Notes](https://help.sap.com/docs/SAP_CONCUR/c5d6d15e7ecb4b4d8238b383d59ac2f4/8beb587dbf2841b099fd907106ddcef8.html?version=2026_03&locale=en-US). 
+
+**Configuration / Feature Activation**
+
+If you are not sure whether your SSL certificate is pinned, please consult with your IT department.
+
 ### Now Available: API Deprecation Headers
 
 For APIs in deprecation, responses will include an `x-api-warn` header that identifies the deprecated endpoint and its recommended replacement. A sunset header will specify the planned decommission date and include a link to additional deprecation details, in compliance with SAP API policies. This has been applied to both API and UI gateways. For example:
