Security validation of SCAs by SUM
Updating a system with SUM is as easy as walking into Mordor. Upgrading a SPS needs you to have a stack XML and when you put SCAs that are signed into a folder, you still have to ensure that SUM can verify the validity of the files. To do so, SUM must be able to have access to the certification revocation list (CRL). This list informs SUM if the certificate used to sign the SCA file is valid or not. Short: if the file can be trusted and therefore be installed or not.
To be able to do so, the CRL file must be downloaded and placed in the same directory as the SCA files. If this is not done before running SUM, you’ll get this screen:
SUM can continue without verifying the files, but that’s some kind of security breach you will commit. Therefore it is better to do as the message text tells you: download the file and place it into the foler. Download the CRL from here: https://tcs.mysap.com/crl/crlbag.p7s. Copy the file to the directory that contains the SCA files
Select repeat and continue.
Now SUM can verify the files and will know when a certificate was revoked and tell you that it is not secure to install that file.