Loading

Certificates in Mutual Authentication for Salesforce

Publiceringsdatum: Apr 24, 2026
Beskrivning

Salesforce supports mutually authenticated Transport Layer Security (TLS) — also known as Mutual TLS or mTLS — on inbound connections. Mutual Authentication validates both the server certificate and the client certificate, providing an additional layer of security beyond standard one-way TLS. This feature is intended for Salesforce API use and is not supported for user interface (web browser) connections. When Mutual Authentication is configured, Salesforce validates the client certificate through two distinct layers: Certificate Chain Validation and Certificate Identity Verification.

Additional information exists in Configure Your API Client to Use Mutual Authentication.

Lösning

Client Certificate Operation

Client certificates are trusted using two layers that separately perform certificate chain validation and identity verification.

Certificate Chain Validation

When your API client connects to your organization's API endpoint on port 8443, that endpoint sends a client certificate request during the TLS handshake.
The orgs API endpoint may be: 

  • My Domain URL

That request has an empty list of client certificate authority names. The API client needs to send a client certificate chain - the client certificate along with all intermediate certificates that exist in the trust path between the client certificate and its root certificate - to Salesforce during the TLS handshake.

Salesforce uses standard certificate chain validation to ensure that the client certificate chain is signed properly and is trusted by a root certificate in Salesforce. This includes a temporal check of all certificates' validity timestamps along with revocation checks using certificate revocation lists. The signature of each certificate in the chain is validated using the public key in its issuer's certificate.

Certificate Identity Verification

The client certificate's identity information is passed along in the request to the Salesforce application servers. Within Salesforce's application servers, a verification of the client certificate's identity occurs if the user has the "Enforce SSL/TLS Mutual Authentication" user permission enabled.

When a user with the "Enforce SSL/TLS Mutual Authentication" user permission enabled accesses Salesforce, the client certificate's identity information is used to look up the mutual authentication certificate from the org. If the certificate is found and matches the client certificate that was sent to Salesforce, access is granted, but if it does not match or is not found, then access is denied. If no client certificate is presented by the API client, then that user's access to Salesforce is denied.

Users that do not have the "Enforce SSL/TLS Mutual Authentication" user permission enabled can access Salesforce either without a certificate or with any certificate that chains up to a root certificate in the list of Outbound Messaging SSL CA Certificates. 

Note: To perform mutual authentication, My Domain URL must be used.

Knowledge-artikelnummer

000383575

 
Laddar
Salesforce Help | Article