Print this page

Salesforce Client Certificate Impacted by Upcoming Microsoft Windows Update

Knowledge Article Number 000233414
Description

Last updated on April 28, 2016.
New changes are highlighted in red.


What is the change and update?

Symantec has announced that they will retire the "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" root certificate from public use. Salesforce's proxy.salesforce.com client certificate is signed by this root certificate, which is used by https remote endpoints, managed by customers or partners, to authenticate requests made from Salesforce for select features. 

We previously communicated on April 15th and April 22nd that customers with remote https endpoints that use the Microsoft Trusted Root Certificate Program would be impacted by an April 26th Windows certificate update if such https endpoints request or require a client certificate for select Salesforce features. 

Salesforce has since learned that Microsoft designed the Windows Update in a way that removes any impact on the proxy.salesforce.com certificate and the Salesforce features outlined below: 

Please refer to Microsoft Trusted Root Certificate Program Updates for additional information from Microsoft. To our knowledge, the April 26th Windows certificate update does not have a Microsoft Knowledge Base article number.


What action do I need to take?

No immediate action is required by customers and partners. However, we still strongly recommend that customers using the proxy.salesforce.com certificate transition to use self-managed certificates for increased security and improved certificate management. Taking this action may also mitigate any future third-party vendor impact to Salesforce features where https endpoints request or require a client certificate for such features.

The following actions are recommended as a way to improve the security of these features and improve certificate manageability. 

Salesforce FeatureAction
Delegated authentication
Workflow automated messaging
AJAX proxy
PageReference.getContent()
PageReference.getContentAsPDF()

1. Create a Salesforce self-signed client certificate or your own Certificate Authority-signed client certificate in the Certificate and Key Management setup page.
NOTE: The Certificate Authority used can be an Active Directory Certificate Services signing certificate; it does not need to be a third-party trusted Certificate Authority.

2. In the API Client Certificate section of the Certificate and Key Management setup page, click the Edit button to change the org's API client certificate.

3. In the API Client Certificate edit screen, choose the API client certificate to use and press Save.

SAML with default client certificate

1. Create a Salesforce self-signed client certificate or your own Certificate Authority-signed client certificate in the Certificate and Key Management setup page.

2. You will need to first Enable Multiple Configs. If this is your current setting, proceed to step 3. 

In the Single Sign-On Settings, click the Enable Multiple Configs button, and follow its instructions. 

NOTE: Enabling Multiple Configs will remove your current single SAML configuration. We recommend that you perform this transition to multiple configs during non-business/off-peak periods. 

3. Add or edit your existing SAML configurations. In the Request Signing Certificate field, choose the name of the certificate that you want to use for signing SAML assertions. Ensure that you do not use  the Default Certificate option. The Default Certificate option is the proxy.salesforce.com certificate.


What was different about how Microsoft designed the latest certificate update?

For more details on how Microsoft applies Windows certificate updates, see Microsoft’s Configure Trusted Roots and Disallowed Certificates article. 

To understand the proxy.salesforce.com relationship with Microsoft’s certificate path management, see the relationship mapping below: 

Certificate chainEarlier certificate path impacted by the upcoming Windows UpdateNewer certificate path not impacted by the upcoming Windows Update
Root certificate

"C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority"

VeriSign Class 3 Public Primary Certification Authority - G5 (was previously an intermediate certificate)

Intermediate certificate

VeriSign Class 3 Public Primary Certification Authority - G5; and

VeriSign Class 3 International Server CA - G3

VeriSign Class 3 International Server CA - G3
Salesforce client certificateproxy.salesforce.comproxy.salesforce.com

 

How do I create a Salesforce self-managed certificate?

See the Creating Certificates and Key Pairs help topic for guidance.

 

Are features impacted by this change?

Based on the latest finding, none of the previously key features identified are impacted by this change.  



Where can I or the customer go for more information? 

For additional questions, open a case with Support via the Help & Training portal.
Participate in the Certificate Change Success Community Group to follow the latest updates and discussion on this update. 





promote demote