Salesforce Client Certificate Impacted by Upcoming Microsoft Windows Update
|Knowledge Article Number||000233414|
Last updated on April 28, 2016.
Symantec has announced that they will retire the "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" root certificate from public use. Salesforce's proxy.salesforce.com client certificate is signed by this root certificate, which is used by https remote endpoints, managed by customers or partners, to authenticate requests made from Salesforce for select features.
We previously communicated on April 15th and April 22nd that customers with remote https endpoints that use the Microsoft Trusted Root Certificate Program would be impacted by an April 26th Windows certificate update if such https endpoints request or require a client certificate for select Salesforce features.
Salesforce has since learned that Microsoft designed the Windows Update in a way that removes any impact on the proxy.salesforce.com certificate and the Salesforce features outlined below:
Please refer to Microsoft Trusted Root Certificate Program Updates for additional information from Microsoft. To our knowledge, the April 26th Windows certificate update does not have a Microsoft Knowledge Base article number.
No immediate action is required by customers and partners. However, we still strongly recommend that customers using the proxy.salesforce.com certificate transition to use self-managed certificates for increased security and improved certificate management. Taking this action may also mitigate any future third-party vendor impact to Salesforce features where https endpoints request or require a client certificate for such features.
The following actions are recommended as a way to improve the security of these features and improve certificate manageability.
For more details on how Microsoft applies Windows certificate updates, see Microsoft’s Configure Trusted Roots and Disallowed Certificates article.
To understand the proxy.salesforce.com relationship with Microsoft’s certificate path management, see the relationship mapping below:
How do I create a Salesforce self-managed certificate?
See the Creating Certificates and Key Pairs help topic for guidance.
Are features impacted by this change?
Based on the latest finding, none of the previously key features identified are impacted by this change.
For additional questions, open a case with Support via the Help & Training portal.