Print this page

Merge a complete certificate chain for custom https domains

Knowledge Article Number 000204513
Description Most of the Certificate Authority (CA) now has intermediate certificates. This causes an issue when custom domain and certificates are used in Salesforce. More information on adding custom domains and certificates can be found in the following articles:
Some systems/browsers might not have trusted intermediate certificates. To resolve this, those certificates need to be installed and trusted.

Another solution, in that case, is to upload a certificate chain in salesforce and associate that with custom domain.

 
Resolution
Combine complete certificate for custom https domain
 
1. Get CA signed certificate for domain
2. Import/Download that certificate as base64
3. Do the same for all the intermediate certificates (if more than one) and the root certificate
4. Now create a new file called, say, certificate_chain.crt
5. Open that file in text editor and stack all 3 certificates on after the other and save
 
1. Order of the certificates is starting from the domain and up towards the root
 
  • Domain cert
  • Intermediate cert 1 above domain
  • Intermediate cert 2 above that and so on
  • Root cert

2. You must include all certificates up to and including root
 

Example of merging certificates

-----BEGIN CERTIFICATE-----
MIIGvTCCBaWgAwIBAgIQBsyeRo2C7ECRbEpmpu+mazANBgkqhkiG9w0BAQUFADBI
[TRUNCATE]
MDEyMDAwMFowgYcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDESMBAG
v+PMGxmcJcqnBrJT3yOyzxIZow==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIQBp4dt3/PHfupevXlyaJANzANBgkqhkiG9w0BAQUFADBh
[TRUNCATE]
slXkLGtB8L5cRspKKaBIXiDSRf8F3jSvcEuBOeLKB1d8tjHcISnivpcOd5AUUUDh
v+PMGxmcJcqnBrJT3yOyzxIZow==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
[TRUNCATE]
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
Now upload this new cert into the certificates and key management and associate this new certificate with the domain. If certificate was already associated then no other step needs to be performed.
 




promote demote