Certificate-Based Authentication

Certificate-based authentication complies with FedRAMP High Authenticator Assurance Level (AAL) 3 digital identity requirements and personal identification verification cards. Your org can also use certificate authority-signed (CA) certificates with certificate-based authentication. View the list of Outbound Messaging SSL CA Certificates.

Certificate-based authentication uses the Mutual Transport Layer Security (mTLS) protocol. With this protocol, Salesforce and the user mutually prove their identity to each other by using a process called the mTLS handshake. Here's a high-level overview of the authentication flow.

• The user goes to your My Domain login page and clicks Certificate-Based Login.
• Salesforce sends its server certificate and certificate chain to the user's browser.
• The browser verifies the server certificate and chain.
• If prompted, the user selects or provides a user authentication certificate, also known as a client certificate. This step can vary depending on the browser, the Salesforce service that the user is accessing, and whether the user has used the certificate before.
• The user's browser sends the user authentication certificate and the certificate chain to the Salesforce server. Salesforce verifies the certificate and chain by using the user authentication certificate configured in your org settings.
• After Salesforce and the browser have mutually authenticated each other, the user is logged in.

To add the user authentication certificate to your org, upload it to your User Authentication Certificates in Setup. Alternatively, use REST API, SOAP API, and standard API object creation to manage the UserAuthCertificate object. You can then integrate the uploaded user certificates with an external API tool, such as Data Loader. External API tools can help you manage your user certificates.

Before enabling certificate-based authentication, keep these requirements in mind.

• This feature is available only in orgs configured with the Let users authenticate with a certificate setting enabled on the Identity Verification page in Setup.
• Certificated-based authentication isn’t supported in Experience Cloud sites.
• If you use a user authentication certificate from a public CA vendor, the certificate must chain to a valid Root CA for your instance. For a list of valid Public CA vendors, add /cacerts.jsp to your instance URL, such as https://MyCompany.my.salesforce.com/cacerts.jsp.
• User authentication certificates must contain the Client Authentication EKU (Extended Key Usage) extension.
  

  Important With Google Chrome Root Program Policy v1.7, your user authentication (client) and server certificates can't originate from the same Public Root CA in the Chrome Trusted Root List. With this change, you can no longer use certificates that include EKUs for both user and server authentication. To prevent disruptions, transition to separate certificate hierarchies. The Google Chrome policy changes take effect on June 15, 2026, but you can experience issues with certificate renewal for some Public CA vendors before that date.

  For more information, see Upcoming Mandatory Changes to Public Key Infrastructure (PKI).

• Uploaded user authentication certificates must be PEM-encoded X.509 digital certificates.
• An uploaded PEM file can contain a single certificate or up to 10 certificates in a certificate chain.
• An uploaded PEM file can be up to 1 MB.
• The user authentication certificate can’t be expired.
• The user authentication certificate must be unique to a single Salesforce org.
• A user can have multiple authentication certificates, but a certificate must be unique to a user.
• The user must be able to connect to port 8443. Certificate-based authentication operates off Salesforce port 8443.

• Enable Certificate-Based Authentication
  To use certificates to authenticate individual users to your org, you must enable certificate-based authentication.
• Validate the Revocation Status of User Authentication Certificates
  Each time users log in with a certificate, you can validate its revocation status using the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRL). With OCSP, Salesforce checks the revocation status of certificates in real time. If an OCSP status check fails, or a certificate isn’t configured for OCSP, Salesforce uses a CRL instead.
• Review Certificate Login Errors
  When you enable certificate revocation status checks, Salesforce prevents logins with certificates that are revoked or can’t be validated. To see why a certificate login failed, check your org’s Login History page. Review these login errors.
• Upload a User Authentication Certificate
  After enabling certificate-based authentication, you can upload PEM-encoded X.509 digital certificates to authenticate individual users to your org.
• Add Certificate-Based Authentication to Your My Domain Login Page
  After you enable certificate-based authentication in Identity Verification, add the Certificate-Based Login button to your My Domain login page. Users can click the button to authenticate using their unique user authentication certificate.
• View Details About User Authentication Certificates
  You can view all user authentication certificates uploaded for your org, and you can view certificates assigned to a single user. From these views, you can see when the certificates were uploaded and when they expire. You can also rename and delete certificates.
• Download a User Authentication Certificate
  You can download the PEM-encoded X.509 digital certificate previously uploaded to your org.
• Rename User Authentication Certificates
  You can rename a user authentication certificate. To edit more than a user certificate’s name, delete the certificate, and upload a new PEM-encoded X.509 digital certificate.
• Delete User Authentication Certificates
  Delete a user authentication certificate if it’s compromised and the certificate has been revoked, expired, or no longer being used.
• Log In to Your Org with Certificate-Based Authentication
  If your Salesforce org supports certificate-based authentication as a login method, you can log in with your unique user authentication certificate instead of a username and password.