Loading

Salesforce Callout Error: PKIX path validation failed – CertPathValidatorException

Udgivelsesdato: May 29, 2026
Beskrivelse

When attempting to connect to a web server or URL endpoint from Salesforce using a callout, you may encounter the following error:
PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed

This article explains why this error occurs and how to resolve it.

Løsning

Why This Error Occurs
The main reason for this error is that the endpoint is presenting an invalid SSL certificate chain during the SSL Handshake. The server sends its own certificate along with its signing chain, but one or more intermediate certificates are incorrect.

For a valid SSL certificate chain, each certificate's subject field must match the issuer field of the next certificate in the chain. If this chain is broken, Salesforce rejects the connection with the PKIX path validation error.

How to Fix
The endpoint administrator must correct the certificate chain so that the certificate's subject equals the current certificate's issuer.This is a server-side fix that must be performed by the team managing the external endpoint.

How to Validate Using OpenSSL (Third-Party Tool)
OpenSSL is a third-party, open-source tool (not supported by Salesforce) that can be used to inspect the certificate chain presented by an endpoint. To view the certificates being sent, run the following command in a terminal, replacing hostname:port with your target endpoint:

openssl s_client –showcerts –connect hostname:port

This command displays the full list of certificates sent by the server. Review the list to verify whether the certificate chain is properly installed and that the subject/issuer names are correctly chained.

Note:
OpenSSL is a third-party tool and falls outside the scope of Salesforce Technical Support.

Vidensartikelnummer

000385068

 
Indlæser
Salesforce Help | Article