Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up a Mutual Authentication Certificate for API Login

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Set Up a Mutual Authentication Certificate for API Login

            To improve security by preventing impersonation, you can require mutual authentication when a client app tries to access Salesforce data. With mutual authentication, the client app and the Salesforce server prove their identity to each other with signed certificates by using the Mutual Transport Layer Security (mTLS) protocol. As a prerequisite for mutual authentication, upload your client certificate to Salesforce.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Performance, Personal, Unlimited, Developer, and Database.com Editions
            User Permissions Needed
            To create, edit, and manage certificates: Customize Application

            During mutual authentication, Salesforce sends its server certificate and certificate to the client app. Salesforce manages the server certificate for you, unless you use a custom certificate. The client app verifies the certificate and chain. In turn, the client sends its client certificate and chain to Salesforce. Salesforce checks the certificate and chain against the certificate that you upload in your Certificate and Key Management settings.

            You can get a client certificate from a Public Certificate Authority (CA) vendor. If you use a user authentication certificate from a Public CA vendor, the certificate must chain to a valid Root CA for your instance. For a list of valid Public CA vendors, add /cacerts.jsp to your instance URL, such as https://MyCompany.my.salesforce.com/cacerts.jsp. To define the certificate's purpose, Public CA vendors use the Extended Key Usage (EKU) extension. For mutual authentication, the client certificate must include the Client Authentication EKU.

            Important
            Important With Google Chrome Root Program Policy v1.7, your client and server certificates can't originate from the same Public Root CA in the Chrome Trusted Root List. With this change, you can no longer use certificates that include EKUs for both client and server authentication. To prevent disruptions, transition to separate certificate hierarchies. The Google Chrome policy changes take effect on June 15, 2026, but you can experience issues with certificate renewal for some Public CA vendors before that date.

            For more information, see Upcoming Mandatory Changes to Public Key Infrastructure (PKI).

            1. On the Certificate and Key Management page, click Upload Mutual Authentication Certificate.
              Note
              Note If you don't see this option on the Certificate and Key Management page, contact Salesforce to enable the feature.
            2. Give your client certificate a label and name, and click Choose File to find the certificate.
            3. To finish the upload process, save your changes.
            4. Using profiles or permission sets, assign the Enforce SSL/TLS Mutual Authentication user permission to an API-only user account. In the next step, this user configures the API client to present the signed client certificate to Salesforce on port 8443. This user must have the API Only User permission.
            5. Configure your API client to use mutual authentication.

            To delete a certificate, from the Certificate and Key Management page in Setup, click Del next to the certificate name. If you delete a mutual authentication certificate associated with a user who has the Enforce SSL/TLS Mutual Authentication user permission, it takes up to 5 minutes for the user’s session ID to be invalidated and for the certificate to be cleared from the cache.

            For steps to set up certificate-based UI login using mutual authentication, see Certificate-Based Authentication.

            See Also

             
            Loading
            Salesforce Help | Article