Print this page

SSL certificates Salesforce supports

Knowledge Article Number 000007225
Description If your org requires an extra layer of security, we'll go over what SSL certificates Salesforce supports for Delegated Authentication SSO, Apex callouts, Outbound Messaging, and other callouts.

Salesforce acting as the client

When sending outbound messages, delegated authentication requests or Apex callouts to secure/SSL endpoints (e.g., a organization (acting as the client) will only trust the target host (that will act as the server) if this presents a certificate signed by a root Certification Authority (CA) included in the list shown in the below link. In other words, in this scenario self-signed certificates are not allowed to be used by the target host.

Notice -
Salesforce trusts only root certificate authority (CA) certificates, with few historical exceptions. Salesforce's certificate trust policy is to require server and client certificate chains to include all intermediate certificates that exist between the server or client certificate and the chain's root certificate. Salesforce will not honor requests to add intermediate certificates to its trust list. Salesforce trusts many generally trusted root certificates, but not all. Review the list at Outbound Messaging SSL CA Certificates for the root CA certificates that Salesforce trusts
When using mutual authentication/2-way SSL, can present a self-signed certificate to the target host (that must present a CA signed certificate to Salesforce), provided that this certificate has been configured in the target host (installed in the target server's keystore).

Salesforce acting as the server

When a Salesforce organization is Single Sign On enabled using SAML, the organization plays the role of the Service Provider (SP). In this case Salesforce acts as the server and the configured Identity Provider (IdP) acts as the client, and it's allowed to present a self-signed certificate.

Client authentication

When sending outbound messages, delegated authentication requests, and SAML assertions (both in the SP and IdP initiated flows), Salesforce will present the same CA signed cert, that can be downloaded at Setup | Develop | API | Client Certificate.

On the other hand, Apex callouts may specify which certificate (from the list found at Setup | Security Controls | Certificate and Key Management) will Salesforce present to the target host. You need to use a Common Name for the cert that you control - for instance something rooted in your own domain (e.g. There is no need to try and get a certificate in the domain.

Available SSL tools

1. Digicert, a third-party site, will graphically list all of the certificates returned during the SSL handshake
    - For more detail on the certificates returned in the handshake, use the followig OpenSSL command:
openssl s_client -showcerts -connect <host>:<port>
2. To decode SSL certificates, use SSLShopper.

promote demote