Loading

Merge a complete certificate chain for custom HTTPS domains

Udgivelsesdato: May 3, 2026
Beskrivelse

When using custom HTTPS domains in Salesforce, most Certificate Authorities (CAs) issue certificates with intermediate certificates in the signing chain. If the browser or system connecting to your domain does not have these intermediate certificates installed as trusted, HTTPS connections to your custom domain may fail. Uploading a complete certificate chain — including the domain certificate, all intermediate certificates, and the root certificate — to Salesforce resolves this issue. This approach also addresses the common "certificate verify failed (unable to get local issuer certificate)" error.


Most of the Certificate Authority (CA) now has intermediate certificates. This causes an issue when custom domain and certificates are used in Salesforce. More information on adding custom domains and certificates can be found in the following articles:


Some systems or browsers don't have trusted intermediate certificates. To resolve this, those certificates need to be installed and trusted.

Another solution, in that case, is to upload a certificate chain in salesforce and associate that with custom domain.

Note: Merging a complete certificate change will also help address certificate verify failed (unable to get local issuer certificate) errors.

 

Løsning

To resolve certificate chain errors for custom HTTPS domains in Salesforce, create a single certificate chain file by stacking all certificates in the correct order (domain first, then intermediate certificates, then root certificate) and upload it to Salesforce via Setup then Security Controls then Certificate and Key Management.



Combine complete certificate for custom https domain

1. Get CA signed certificate for domain.
2. Import or Download that certificate as base64.
3. Do the same for all the intermediate certificates (if more than one) and the root certificate.
4. Now create a new file. Example:  certificate_chain.crt.
5. Open that file in text editor and stack all 3 certificates on after the other and save.
1. Order of the certificates is starting from the domain and up towards the root
  • Domain cert
  • Intermediate cert 1 above domain
  • Intermediate cert 2 above that and so on
  • Root cert

2. You must include all certificates up to and including root
 

Example of merging certificates

-----BEGIN CERTIFICATE-----
MIIGvTCCBaWgAwIBAgIQBsyeRo2C7ECRbEpmpu+mazANBgkqhkiG9w0BAQUFADBI
[TRUNCATE]
MDEyMDAwMFowgYcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDESMBAG
v+PMGxmcJcqnBrJT3yOyzxIZow==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIQBp4dt3/PHfupevXlyaJANzANBgkqhkiG9w0BAQUFADBh
[TRUNCATE]
slXkLGtB8L5cRspKKaBIXiDSRf8F3jSvcEuBOeLKB1d8tjHcISnivpcOd5AUUUDh
v+PMGxmcJcqnBrJT3yOyzxIZow==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
[TRUNCATE]
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
The example above shows a correctly stacked certificate chain file. Each certificate is enclosed between BEGIN CERTIFICATE and END CERTIFICATE markers and placed sequentially in the file. If you receive an error when uploading stating "Certificate's subject distinguished name (DN) is not equal to the previous certificate's issuer DN," the chain order is incorrect or a certificate is missing. Use an online Certificate Checker tool to validate the completeness and order of your chain.

Now upload this new cert into the certificates and key management and associate this new certificate with the domain. If certificate was already associated then no other step needs to be performed.

If you receive an error when uploading stating:

Error: Certificate's subject distinguished name (DN)
<certificate info> is not equal to the previous certificate's issuer DN <certificate info> 

This means the certificate chain is not in the correct order or a link in the chain is missing. You must reexamine the certificate chain and correct it. Online "Certificate Checker" tools can be found that can validate the completeness of a certificate chain.
Vidensartikelnummer

000386535

 
Indlæser
Salesforce Help | Article