To prevent security from being compromised by simple impersonation, you can require clients and servers to prove their identity to each other with a mutual authentication certificate.
|Available in: both Salesforce Classic and Lightning Experience|
|Available in: Enterprise, Performance, Personal, Unlimited, Developer, and Database.com Editions|
|To create, edit, and manage certificates:||“Customize Application”|
On the Certificate and Key Management page, click Upload Mutual Authentication Certificate.
If you don’t see this option on the Certificate and Key Management page, contact Salesforce to enable the feature.
Give your certificate a label and name and click Choose File to locate the certificate.
Click Save to finish the upload process.
Enable the “Enforce SSL/TLS Mutual Authentication” user permission for an “API Only” user.
This “API Only” user configures the API client to connect on port 8443 to present the signed client certificate.
If you are using a certificate chain, the client certificate must include any intermediate certificates in the chain when contacting port 8443.
A certificate chain is a hierarchical order of certificates where one certificate issues and signs another certificate lower in the hierarchy. Upload a certificate chain as a single PEM-encoded CA-signed certificate representing the concatenated chain of certificates. The uploaded certificate chain must include the intermediate certificates in the following order.
- Start with the server or client certificate and then add its signing certificate.
- If more than one intermediate certificate exists between the server or client certificate and the root, add each certificate as the one that signed the previous certificate.
- The root certificate is optional, and generally should not be included.