Print this page

Default Certificate to Retire on August 7, 2017

Knowledge Article Number 000240906
Description

1. What is the change and when will it happen?

Due to the upcoming expiration of the default client certificate (proxy.salesforce.com) and for security best practices, we will retire the use of this client certificate on August 7, 2017 at 09:30 a.m. PDT (16:30 UTC).   Customers using the following features may be impacted:

* Customers using SP-initiated SAML, will only be impact if they are configured to sign SAML Requests with the default certificate, and their Identity Provider (IdP) is configured to validate the signature on those SAML requests. 

** Only customers that are calling out to HTTPS endpoints that request or require a client certificate are affected.

 

New Orgs Created with Winter ‘17* and Later

New orgs created with the Winter ‘17 release and later will no longer have the option to use the default certificate in any of these features. Instead, a self-managed client certificate must be created for use with these features. The self-managed certificate can be a self-signed certificate or a certificate authority (CA)-signed certificate.

* Currently targeted for October 2016; date subject to change.

 

2. What will happen after August 7, 2017 at 09:30 a.m. PDT (16:30 UTC)?

If you do not take the aforementioned actions by August 7, 2017, those features may stop working entirely in your Salesforce environment.

NOTE: Your users will no longer be able to log in to your Salesforce org if you have enabled the following:

  • SP-initiated SAML configured to sign SAML Requests with the default certificate, and where your IdP is configured to validate the signature on SAML requests.
  • Delegated authentication that is configured to call out to HTTPS endpoints that request or require a client certificate.

 

3. How can I determine if my IdP is configured to validate the SP-initiated SAML signature?

This will vary depending on your IdP vendor. Customers should verify whether their IdP is configured to validate the SP-initiated SAML signature with their IdP vendor. 

 

4. What action do customers need to take? 

Customers with Orgs Created with Summer ‘16 or Earlier

Impacted customers with orgs created with the Summer ‘16 release or earlier will need need to switch to a self-managed client certificate prior to August 7, 2017, at 09:30 a.m. PDT (16:30 UTC). 

See below for what actions are required, depending on where and how you are using the default certificate.

FeatureAction

API Client Certificate features, where the feature is calling out to HTTPS endpoints that request or require a client certificate:

  • Delegated authentication
  • Workflow automated messaging
  • AJAX proxy
  • PageReference.getContent()
  • PageReference.getContentAsPDF()

1. If you don’t have an existing self-managed certificate, create one. 

2. Update the API Client Certificate with your new certificate.

See question 5 below for details on how to do this.

NOTE: The API Client Certificate setting influences delegated authentication, workflow outbound messaging, AJAX proxy, PageReference.getContent(), and PageReference.getContentAsPDF(). 

Changing the value of this setting affects the client certificate on all these features.

SP-initiated SAML with default certificate for SSO where their IdP is configured to validate the signature on SAML requests

Customer using the SAML with default certificate in single-config mode (This is the case if the "Enable Multiple Configs" button is present in the Single Sign-On Page):

1. If you don’t have an existing self-managed certificate, create one. 

2. Switch to the multi-config mode, which requires you to update your Identity Provider (IdP) configuration with the new recipient URL (Salesforce Login URL). The Salesforce Login URL is located at the bottom of the SAML Single Sign-On Settings page under the Endpoints section.

3. Update the SAML config to select the new self-managed certificate.

4. Upload the new certificate into your IdP.

See question 6 below for details on how to do this.

 

Customer using the SAML with default certificate in multi-config mode (This is the case if the "Enable Multiple Configs" button isn’t present in the Single Sign-On Page):

1. If you don’t have an existing self-managed certificate, create one. 

2. Update the SAML config to select the new self-managed certificate.

3. Upload the new certificate into your IdP.

See question 6 below for details on how to do this.

See questions 5 and 6 below for more details on how to make this change for the features mentioned above. 

 

Customers with Orgs Created with Winter ‘17 and Later

Customers with orgs created with the Winter ‘17 release and later will need to create a self-managed client certificate for use with the impacted features. The default certificate won’t be available for use with the above mentioned features.

See the table below for the certificate options available for new orgs created with the Winter ‘17 release and later:

FeatureCertificate Options Available for New Orgs Created with Winter '17 and Later

API Client Certificate features: 

  • Delegated authentication
  • Workflow automated messaging
  • AJAX proxy
  • PageReference.getContent()
  • PageReference.getContentAsPDF()

Customer has no existing self-managed certs: The only picklist value available from API Client Certificate (via Setup) is “No Certificate.” Customers will need to create a new self-managed certificate. 

Customer has existing non-expired certs: The picklist values from API Client Certificate (via Setup) will display them as options to select.

Single Sign-On using Service Provider (SP)-Initiated SAML

Customer has no existing self-managed certs when creating a new SAML multi-config mode setting: The only available picklist value from Single Sign-On Settings (via Setup) is the “Generate self-signed certificate” option. 

NOTE: Selecting this option creates a self-signed certificate automatically without directing you to the Certificate and Key Management page. The certificate generated will have the following default name, which contains the certificate creation date and time, for example: “SelfSignedCert_27Jul2016_214629” 

The default expiration for this 2048-bit certificate is one year.

 

Customer has existing non-expired certs available: The picklist values from Single Sign-On Settings (via Setup) will display them as options to select.


5. How do I create a self-managed client certificate for the API Client Certificate?

1. Create a Salesforce self-signed client certificate or your own CA-signed client certificate in the Certificate and Key Management setup page. 

NOTE: The CA can be an Active Directory Certificate Services signing certificate; it doesn't need to be a third-party trusted CA.

2. In the API Client Certificate section of the Certificate and Key Management setup page, click the Edit button to change the org's API client certificate.

3. In the API Client Certificate edit screen, choose the API client certificate to use and press Save.

NOTE: The API Client Certificate setting influences delegated authentication, workflow outbound messaging, AJAX proxy, the PageReference.getContent() Apex call, and the PageReference.getContentAsPDF() Apex call. Changing the value of this setting affects the client certificate on all these features.

 

6. How do I create a self-managed client certificate for use with SAML for SSO? 

1. Create a Salesforce self-signed client certificate or your own CA-signed client certificate in the Certificate and Key Management setup page.

2. You’ll need to first Enable Multiple Configs. If this is your current setting, proceed to step 3. 

In the Single Sign-On Settings (via Setup):

  1. Click the “Enable Multiple SAML Configs” button.
  2. Read and acknowledge the prompt messaging, which provides detailed guidance on what to look out for when making the transition from single config to multi config.
  3. Check the checkbox and click the “Enable” button.
  4. This change will migrate your existing SAML config over to the multi SAML config. View the config (located within the SAML Single Sign-On Using SAML related lists section within the Single Sign-On Settings via Setup), copy the new recipient URL (Salesforce Login URL) and update your Identity Provider (IdP) configuration. NOTE: Updating the Salesforce Login URL value in your IdP is required as your recipient URL (Salesforce login URL) will change after you enable Multi SAML Config.

NOTE: We strongly recommend that you perform this transition to multiple configs during non-business/off-peak periods to avoid user disruption. 

 

3. Add or edit your existing SAML configurations. In the Request Signing Certificate field, choose the name of the certificate that you want to use for signing SAML assertions. Ensure that you do not continue to use the Default Certificate option, which is the proxy.salesforce.com certificate. 

 

NOTE: The Default Certificate option will not be available with orgs created with Winter ‘17 and later. 

 

7. Where can I get more information?

Join the discussion in the Official: Salesforce Infrastructure Success Community group.  

For additional questions, open a case with Support via the Help & Training portal. 





 





promote demote