Salesforce client certificate chain order

To confirm a correct certificate chain configuration, use the OpenSSL command-line tool. OpenSSL connects to your server and displays the full certificate chain returned by the server, allowing you to verify the order and completeness of the intermediate certificates.

Run the following command in your terminal, replacing www.salesforce.com:443 with your server's hostname and port:

openssl s_client -connect www.salesforce.com:443 -showcerts

The output of this command displays all certificates in the chain. Review the output to confirm that:

• The server certificate appears first.
• Each intermediate certificate appears in the correct order following the server certificate.
• The root certificate authority certificate is not included in the chain returned by the server.

If the chain is out of order or missing an intermediate certificate, Salesforce will reject the connection. Reconfigure your server to present the certificates in the correct order as described in the Description section above.