Salesforce Platform: Enable Mutual Authentication for Enhanced Security

You can request Mutual Authentication for your org by providing some basic information to Salesforce Support.

Note: Mutual Authentication is a way to prevent security from being compromised by simple impersonation.

What is Mutual Authentication

Mutual Authentication or two-way authentication, is a security process where both parties in a communication (e.g., client and server, or two IoT devices) verify each other’s identities before establishing a connection. 

What is mTLS Certificate Exchange?

In mTLS, both the client and the server exchange and validate certificates during the TLS handshake.
This ensures two-way trust before any data is sent.

list of trusted CA signed authorities by salesforce.

https://login.salesforce.com/cacerts.jsp#actalisauthenticationrootca

Configure Salesforce as the Server (Inbound Calls) 

1. Enable Mutual Authentication: After Salesforce Support enables the feature, navigate to Setup > Security Controls > Certificate and Key Management. The "Mutual Authentication Certificate" section will now be visible.
2. Upload the Client's Certificate:
   • Obtain the public part of the CA-signed client certificate (or certificate chain) from the third-party system that will be calling into Salesforce. The file should be in PEM format.
   • In the "Mutual Authentication Certificate" section, click Upload Mutual Authentication Certificate.
   • Provide a label, choose the file, and save. Salesforce will now be able to validate requests presenting this certificate.
3. Assign User Permission:
   • Create or use an existing profile/permission set for the integration user.
   • Enable the Enforce SSL/TLS Mutual Authentication and API Only User system permissions for this profile/permission set. This ensures that only API calls presenting a valid client certificate are accepted for this specific user.
4. Endpoint URL: The client system must connect to your Salesforce My Domain URL using port 8443 (e.g., https://mydomain.my.salesforce.com) for mTLS to be enforced.

Configure Salesforce as the Client (Outbound Calls) 

1. Generate a Certificate and Key in Salesforce:
   • In Setup > Security Controls > Certificate and Key Management, select Create CA-Signed Certificate.
   • Enter a label and unique name, select the key size, and click Save. This generates a certificate and a corresponding private key in Salesforce.
2. Download the Certificate Signing Request (CSR):
   • From the certificate list, click the name of the newly created certificate and then click Download Certificate Signing Request (a .csr file).
3. Get it Signed by a CA: Send the .csr file to a trusted Certificate Authority (e.g., GoDaddy) for signing.
4. Upload the Signed Certificate:
   • Once you receive the CA-signed certificate file, return to the certificate details page in Salesforce.
   • Click Upload Signed Certificate, select the file, and save. The certificate and its private key are now securely stored in Salesforce.
5. Share with Third Party: Provide the public part of this certificate to the external system so they can add it to their truststore to validate calls coming from Salesforce.
6. Use in Code: When making an outbound API call (e.g., in Apex or a connected app configuration), reference this uploaded certificate to use it as the client certificate for the mTLS handshake.

Mutual Authentication (two-way SSL/TLS verification)

• Enable Two-Way Mutual Authentication in Salesforce and Create a profile with Enforce SSL/TLS Mutual Authentication permission set to true.  Assign a user account to this profile.
• Obtain Certificates. Please note that Salesforce does not allow using self-signed certs for Mutual Authentication, so a CA-signed cert is needed.

          https://help.salesforce.com/s/articleView?id=001115543&type=1