You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools-support/release-notes/api/2026-03-03.html
+163Lines changed: 163 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -429,6 +429,169 @@ <h1 id="api-release-notes-march-2026">API Release Notes, March 2026</h1>
429
429
430
430
<h2id="new-this-month">New This Month</h2>
431
431
432
+
<h3id="preview-ssl-certificates-renewal-for-concursolutionscom-and-apiconcursolutionscom">Preview: SSL Certificates Renewal for <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code> and <codeclass="language-plaintext highlighter-rouge">*api.concursolutions.com</code></h3>
433
+
434
+
<p>Due to industry-wide changes implemented by our Certificate Authority, DigiCert, the maximum validity period for publicly trusted TLS certificates has been reduced to 199 days. As a result, SAP Concur certificates will be renewed more frequently than in previous years. SAP Concur plans to renew the certificates for <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code> and <codeclass="language-plaintext highlighter-rouge">*api.concursolutions.com</code> in May 2026.</p>
435
+
436
+
<p>Additional information about the 199-day certificate validity period is available in the documentation provided by <ahref="https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates">DigiCert</a>.</p>
437
+
438
+
<blockquote>
439
+
<p>Note: This change is part of broader security improvements across the industry and has no impact on the security, availability, or trust of SAP Concur services.</p>
440
+
</blockquote>
441
+
442
+
<p><strong>End-User Experience</strong></p>
443
+
444
+
<p>The current certificates will expire as follows:</p>
445
+
446
+
<ul>
447
+
<li>
448
+
<p>June 4, 2026 23:59 GMT for <codeclass="language-plaintext highlighter-rouge">*.api.concursolutions.com</code></p>
449
+
</li>
450
+
<li>
451
+
<p>June 5, 2026 23:59 GMT for <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code></p>
452
+
</li>
453
+
</ul>
454
+
455
+
<p>SAP Concur will renew it ahead of this date to ensure continued service availability.</p>
456
+
457
+
<p>New certificates are planned to be issued as follows:</p>
458
+
459
+
<ul>
460
+
<li>
461
+
<p>10PM PDT on May 13 2026 for <codeclass="language-plaintext highlighter-rouge">*.api.concursolutions.com</code></p>
462
+
</li>
463
+
<li>
464
+
<p>10PM PDT on May 20, 2026 for <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code></p>
465
+
</li>
466
+
</ul>
467
+
468
+
<p><strong>Certificate Updates</strong>
469
+
As a part of this renewal, the following updates will be introduced:</p>
<p>As part of the recent DigiCert account migration from SAP Concur to SAP, the <strong>organization information</strong> associated with *.api.concursolutions.com certificates has been updated. For details, please refer to the <strong>Certificates Download Links</strong> section below.</p>
476
+
</li>
477
+
<li>
478
+
<p>This change affects only the certificate metadata and does not impact service functionality or security.</p>
<p>The Client Authentication extended key usage has been removed from the certificate.</p>
487
+
</li>
488
+
<li>
489
+
<p>This extension was not used as the certificate functions as a TLS server certificate for server authentication only. Its removal does not impact service functionality.</p>
490
+
</li>
491
+
<li>
492
+
<p>For additional information on certificate extended key usage, please refer to the documentation from <ahref="https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates">DigiCert</a>.</p>
<p>Clients who have not pinned the expiring certificate do not need to take any action as their expiring certificate will be renewed automatically. <strong>Most clients do not pin the certificate</strong>.</p>
499
+
500
+
<p>SAP ICS customers who follow the certificate handling processes described in the following note do not need to take any action:</p>
501
+
502
+
<p><ahref="https://launchpad.support.sap.com/#/notes/2914977">2914977 - FAQ: Concur Certificates, Authentication, and Connectivity</a>.</p>
503
+
504
+
<p>Clients who have pinned an expiring certificate must update to the new certificate before it is issued at</p>
505
+
506
+
<ul>
507
+
<li>
508
+
<p>10PM PDT on May 13 2026 <codeclass="language-plaintext highlighter-rouge">*.api.concursolutions.com</code></p>
509
+
</li>
510
+
<li>
511
+
<p>10PM PDT May 20, 2026 <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code></p>
512
+
</li>
513
+
</ul>
514
+
515
+
<blockquote>
516
+
<p>Note: Certificate pinning is not recommended, and you do so at your own risk.
517
+
To support security for SAP Concur solutions, security certificates are renewed regularly. Pinned certificates are not renewed automatically and, if a pinned certificate is not renewed before it expires, the pinned certificate can cause a disruption of service.</p>
518
+
</blockquote>
519
+
520
+
<blockquote>
521
+
<p>Recommendation: If your implementation requires certificate pinning, we strongly recommend pinning the Root CA certificate, rather than the leaf/end certificate.
522
+
Pinning the leaf/end certificate may result in service disruption due to the shorter renewal cycle. Pinning to the Root CA provides greater stability while maintaining security.</p>
<p>To avoid disruption of service, clients who pin their security certificates must pin both the RSA and ECDSA certificates. Clients may obtain the new certificates from the following web pages.</p>
528
+
529
+
<p>These are <strong>root and intermediate certificates</strong> for both <codeclass="language-plaintext highlighter-rouge">*.concursolutions.com</code> and <codeclass="language-plaintext highlighter-rouge">*.api.concursolutions.com</code>.</p>
<p>Intermediate: <ahref="https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem?_gl=1*i7c9wi*_gcl_au*MTI2NjY3MzYyMC4xNzMyNTAwNTAw">DigiCert Global G2 TLS RSA SHA256 2020 CA1</a></p>
536
+
</li>
537
+
<li>
538
+
<p>Root: <ahref="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem?_gl=1*102cn1j*_gcl_au*MTI2NjY3MzYyMC4xNzMyNTAwNTAw">DigiCert Global Root G2</a></p>
<p>Intermediate: <ahref="https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt.pem?_gl=1*htixu2*_gcl_au*MTY5MjI4Mjk2Ni4xNzQzOTg1ODYz">DigiCert Global G3 TLS ECC SHA384 2020 CA1</a></p>
547
+
</li>
548
+
<li>
549
+
<p>Root: <ahref="https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem?utm_medium=organic&utm_source=google&referrer=https://www.google.com/&_gl=1*1ouisuk*_gcl_au*MTUwNDgyOTI5OS4xNzQxMjQ2NDEy">DigiCert Global Root G3</a></p>
550
+
</li>
551
+
</ul>
552
+
553
+
<p><strong>Certificate Chain</strong> consists of end-entity, Intermediate and Root certificates respectively.</p>
554
+
555
+
<p>When opening the following links, open the link in an Incognito or Private browser window to ensure there is no cached data causing outdated or incorrect content to appear.</p>
This is an internal administrative change and does not affect certificate validity or functionality.
575
+
The certificate used for <strong>*.api.concursolutions.com</strong> currently retains a <strong>one-year validity period</strong>, as it was renewed prior to the certificate validity policy change implemented by DigiCert. Future renewals will follow the updated validity requirements.</p>
<p>You can access and test the certificates by following the instructions in <ahref="https://help.sap.com/docs/SAP_CONCUR/c5d6d15e7ecb4b4d8238b383d59ac2f4/8beb587dbf2841b099fd907106ddcef8.html?version=2026_03&locale=en-US">Concur Shared Release Notes</a>.</p>
<p>If you are not sure whether your SSL certificate is pinned, please consult with your IT department.</p>
594
+
432
595
<h3id="now-available-api-deprecation-headers">Now Available: API Deprecation Headers</h3>
433
596
434
597
<p>For APIs in deprecation, responses will include an <codeclass="language-plaintext highlighter-rouge">x-api-warn</code> header that identifies the deprecated endpoint and its recommended replacement. A sunset header will specify the planned decommission date and include a link to additional deprecation details, in compliance with SAP API policies. This has been applied to both API and UI gateways. For example:</p>
0 commit comments