Renewing the SSL Certificate for the CSB Site

The purpose of setting up SSL is to encrypt personal data being passed between the Career Site Builder site and the SAP SuccessFactors Recruiting applicant tracking system (ATS) when a candidate applies to a job. SSL certificate-issuing authorities have set the duration of an SSL certificate to 398 days. An expired SSL certificate means that visitors to the career site see a security warning and are blocked from accessing the site. For this reason, you never want to let the SSL certificate expire. To view the expiration date for an existing SSL certificate, open the public career site and click the padlock icon to the left of the URL. Follow the prompts.

Career Site Builder has a feature that allows organizations to manage the SSL certificates for their public career site. Implementation partners use this tool to obtain and install the original SSL certificate for the customer’s CSB career site. Customers or partners use the tool to renew SSL certificates.

SSL is only enabled for the production environment. Stage SSL is a low level of security settings applied to the entire environment. SAP may enable it, but most users see a certificate error during UAT as a result. This is not a defect. Wildcard certificates are not allowed. Customers need to set up a certificate specifically for the CSB subdomain.

As you have learned, access to Career Site Builder requires the Manage Career Site Builder permission from Admin Center. If Career Site Builder's role-based permissions are enabled, set the SSL Certificate permission from CSB→Users→Roles for any users who should have access. Customers may wish to create a role that can only access SSL Certificates, not other parts of Career Site Builder. The role would allow other individuals in the organization, such as the IT security team, to manage SSL Certificates.

There are two options that system admin users can choose to start the certificate renewal process:

The recommended process is Option 1: To obtain and install your SSL (typical).

Option 2 allows you to upload a new SSL certificate based on an existing CSR.

The basic steps to complete Option 1 are as follows:

1. Generate a Certificate Signing Request (CSR) file. See the Recruiting guide for tips on completing the fields.
2. The customer then procures the certificate from a certificate authority.
3. Once the SSL certificate is received, submit the certificate along with the intermediate certificate. (Note that an intermediate certificate is required.)
4. Finally, install the SSL certificate.

Customers can have multiple certificates installed and in use. When there is more than one certificate issued to the same domain, for example, test01.sap.corp, the last one installed is active.

Remember that Recruiting Marketing only supports two domains to access the site, defined from CSB→Settings→Site Configuration→Site Information: Site URL and Use Redirect.

See additional information about SSL certificates in the Recruiting guide and KBA 3109381: Overview About SSL Certificates tab in CSB https://launchpad.support.sap.com/#/notes/3109381

SAP SuccessFactors Recruiting proactively reminds organizations when their career site's SSL certificate needs to be renewed to avoid career sites from becoming unreachable due to an expired SSL certificate.

Popup Banner Reminders

Career Site Builder offers two reminder methods:

1. The ability to enable email reminders for admin users.
2. A popup dialog that appears when logging in to Career Site Builder.

When the certificate is going to expire in less than 90 days, the pop-up banner is shown to all users who have access to the Site Configuration menu in Career Site Builder. For this reason, add users who are responsible for the SSL certificate to Recruiter Single Sign On.

• If the user clicks Acknowledge, the banner will not display next time they log in.
• If the user clicks Ignore, they will be reminded again the next time they log in.