Print this page

Salesforce updating sandbox HTTPS certificates

Knowledge Article Number 000213484

We're changing the intermediate shared by all the new SHA-256 certificates. The previous intermediate was valid but included the Symantec root. The updated intermediate is the same minus the Symantec root and renamed to avoid confusion. This intermediate (int-ca-06-symantec-class-3-ss-ca-g4) can be found in the attachment.

Salesforce leverages TLS/SSL certificates issued by Symantec as part of a comprehensive security strategy to ensure the privacy and security of customer data. These certificates were updated following Security Best Practices.

Additionally, if you predetermine which certificate authority (CA) to trust, please note we will be leveraging only Symantec issued certificates moving forward.


Attached below are the certificates that were implemented. One of the attachments contains the new Wildcard certificate information and the intermediate used by all of the new certificates. The other attachment contains all of the new sandbox specific certificates, organized by sandbox.  

Good to know: The intermediate certificates are also provided. In all cases, the intermediate certificates will be changing. For the certificates, the root Certificate Authority (CA) will also be changing as the former CA for these certificates was Verizon/CyberTrust and is now Symantec/Verisign. If you need a copy of the Symantec/Verisign root please download it from Symantec at it is Root 3 VeriSign Class 3 Primary CA - G5 common name: VeriSign Class 3 Public Primary Certification Authority - G5 and fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5.

Wildcard and  Intermediate Certificate Information 

The and wildcard certificates are shared across all sandbox instances. The intermediate certificate included in this attachment is the same intermediate used by all sandbox specific certificates.

Note that these wildcard certificates will also be used for the production instances upgrade later this year, but until that upgrade the existing production instance SHA-1 wildcard certificates should continue to be used.

Moving to certificates with a SHA-256 hash algorithm

To maintain alignment with security best practices and the industry-wide shift to use more complex algorithms for HTTPS certificates, Salesforce replaced current HTTPS certificates, which are signed with a SHA-1 hash algorithm, to new certificates signed with a SHA-256 hash algorithm. For more information on this switch, see Knowledge Article, “HTTPS Security Certificate Change from SHA-1 to SHA-256 hash algorithms.”

If you're a customer that locally caches certificates in your middleware, we recommend you join the “Official: Certificate Changes” Success Community Group in order to learn about important updates to these certificates. Additionally, you can use the space to ask questions for support.

Name Type Size

promote demote