Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Export and Import Certificates with a Keystore

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Export and Import Certificates with a Keystore

            You can export all your certificates and private keys into a keystore for storage or import certificates and keys from a keystore. This keystore lets you move keys from one organization to another. The exported file is in the Java Keystore (JKS) format, and the imported file must also be in the JKS format.

            For more information about the JKS format, see Oracle's Java KeyStore documentation

            Government Cloud customers can import files that use the Bouncy Castle FIPS KeyStore (BCFKS) format. For more information about the BCFKS format, see the Bouncy Castle FIPS Java API User Guide.

            If you generate your own CA certificate or use a CA certificate generated by another application, you may experience difficulties uploading the certificate to Salesforce. To be uploaded successfully, a certificate must be in a valid JKS format.

            The Salesforce Knowledge Article, Generate a Salesforce Compatible JKS From PFX or P12, details the steps to rebuild them in a valid JKS format. Salesforce validates all certificates for compliance with the JKS format. This table lists common errors that cause uploads to fail.

            Message Cause Action
            No certificate was imported because the keystore file doesn't contain a PrivateKey entry. Either the private key is missing, or the certificate file is null. Rebuild the key store with the required components.
            The key is not an RSA key. The key must be in RSAPrivateKey format. Rebuild the key store with a private key created with the RSA algorithm.
            The key must be in PKCS#8 format. The key is in a format other than PKCS#8. Recreate the key pair using PKCS#8.
            Imported keys must have a bit size of 2048, 3072, or 4096. Your key is an unsupported bit size. Recreate the key pair using a supported bit size.
            The private key does not match the certificate chain in the keystore. Your private and public keys are not a matching pair. Use the matching public and private key and try again.
            The keystore's certificate chain is invalid. A certificate in the key chain is either invalid, expired, or improperly signed. Salesforce uses the PKIX validator to check that each intermediate and CA cert in the chain is properly signed by the previous one, all the way up to the root certificate (the trust anchor). Check that your intended certificate's chain of trust is valid. Also, all intermediate and CA certificates in the chain must have the isCA attribute set to true.
             
            Loading
            Salesforce Help | Article