Loading

Salesforce client certificate chain order

Udgivelsesdato: May 1, 2026
Beskrivelse

Order of intermediate certificates in certificate chain

Your application (endpoint) server must send any intermediate certificates in the certificate chain, and the certificate chain must be in the correct order. The required order for the certificate chain is as follows:

  1. Server certificate.
  2. Intermediate certificate that signed the server certificate if the server certificate was not signed directly by a root certificate.
  3. Intermediate certificate that signed the certificate in step 2.
  4. Any remaining intermediate certificates. Do not include the root certificate authority certificate. The root certificate is not sent by your server. Salesforce already has its own list of trusted certificates on file, and a certificate in the chain must be signed by one of those root certificate authority certificates.
Løsning

To confirm a correct certificate chain configuration, use the OpenSSL command-line tool. OpenSSL connects to your server and displays the full certificate chain returned by the server, allowing you to verify the order and completeness of the intermediate certificates.

Run the following command in your terminal, replacing www.salesforce.com:443 with your server's hostname and port:

openssl s_client -connect www.salesforce.com:443 -showcerts

The output of this command displays all certificates in the chain. Review the output to confirm that:

  • The server certificate appears first.
  • Each intermediate certificate appears in the correct order following the server certificate.
  • The root certificate authority certificate is not included in the chain returned by the server.

If the chain is out of order or missing an intermediate certificate, Salesforce will reject the connection. Reconfigure your server to present the certificates in the correct order as described in the Description section above.

Vidensartikelnummer

000383872

 
Indlæser
Salesforce Help | Article