Loading

How to Create MFA/2FA Client Certificate for B2C Commerce Code Upload via Multi-Factor Authentication (Two-Factor Authentication)

Veröffentlichungsdatum: Dec 10, 2025
Beschreibung

To configure and manage the client certificates required for two-factor authentication when uploading code within the B2C Commerce Staging Business Manager instance as required for PCI compliance.
 

Lösung
  1. Install OpenSSL.
    1. Download a Windows or Linux OpenSSL client from the following location: http://www.slproweb.com/products/Win32OpenSSL.html
    2. Install only the OpenSSL Light version.
    3. For Windows users, accept the default installation instructions.
    4. OpenSSL will be installed to C:\OpenSSL by default. The instructions in the above document assume the default installation location.
  2. Create a new key and request using OpenSSL.
    1. Extract the zip (e.g. certificate.zip) file to C:\OpenSSL\bin
    2. Open the command prompt and enter C:\OpenSSL\bin\
    3. In either case, enter the following command to generate a request:
openssl req -new -sha256 -newkey rsa:2048 -nodes -out $user.req -keyout $user.key
 
$user indicates the user that this key is for. We recommend that it be the same as the Business Manager user they are authenticating against. For example, if the SFCC instance username is jsmith, the certificate should be named jsmith.
 
Note: When prompted for information to be included in the certificate request, please provide information for the user that will be using the certificate (ex. jsmith).
 
Caution: Don't use generic names (ex. Release Team).
The output should be as follows:
 
Generating a 2048 bit RSA private key
....................++++++++++++
........++++++++++++
writing new private key to '$user.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (city) []:
Organization Name (company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (section) []:
Common Name (YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
Note: The last two fields are optional. We recommend that you leave them blank. The challenge password isn't used.
  1. Fill out the request with your company name, information and a valid email address. This should be the valid email address of the person using the certificate.
For example:
Country Name (2 letter code) [AU]: US
State or Province Name (full name)
[Some-State]: Massachusetts
Locality Name (city) []:
Organization Name (company) [Internet
Widgits Pty Ltd]: Salesforce B2C Commerce Cloud
Organizational Unit Name (section) []:
Support
Common Name (YOUR name) []: John Smith
Email Address []:
jsmith@salesforce.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. Sign the certificate request ($user.req) with your certificate.
    1. Copy the results of the client key and client request to the same directory as the certificate and key (C:\OpenSSL\bin).
    2. Enter the following OpenSSL command into the command prompt:
openssl x509 -CA $name.crt -CAkey $name.key -CAserial $name.srl -req -in $user.req -out $user.pem -days $days
 
$days: the number of valid days for this client certificate following creation$name: the name provided by SFCC

$user: the user of the client certificate you are signing. For example: jsmith

Note: The $name portion of the $name.srl file may be slightly different from other $name files. Make sure you enter the file name correctly. For example:

openssl x509 -CA cert.staging.web.customer.demandware.net_01.crt -CAkey cert.staging.web.customer.demandware.net_01.key -CAserial cert.staging.web.customer.demandware.net.srl -req -in jsmith.req -out jsmith.pem -days 365
 
  1. The certificate will be valid until it expires or you ask SFCC to revoke all certificates. Therefore you must plan carefully when assigning certificates to users.
The output of this command should look as follows:
Signature ok
subject=/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX/emailAddress=user@co.com
Getting CA Private Key
Enter pass phrase for $name.key:
  1. Enter the pass phrase (contained in $name.txt) to sign the certificate.
  1. Export the certificate and private key to a PKCS#12 keystore.
    1. Enter the following command into the command prompt:
openssl pkcs12 -export -in $user.pem -inkey $user.key -certfile $name.crt -name "$user" -out  $user.p12

 

$name is the name provided by Commerce Cloud.

$user is the user of the client certificate you are signing.
 
For example:
openssl pkcs12 -export -in jsmith.pem -inkey jsmith.key -certfile cert.staging.web.customer.demandware.net_01.crt -name "jsmith" -out jsmith.p12
  1. Specify an export password for this file. This password must be provided to the end user who'll be loading the certificate into Studio or another keystore.
  2. The pkcs12 certificate can be used to connect to a Staging instance via Studio. The certificate can also be used with other WebDAV clients, such as the Windows built-in WebDAV client. If the user wants to upload code via the Windows WebDAV, see Step 6. Otherwise, Step 6 isn't required.
  1. Import the certificate into a browser. This is a validation step to test that the certificate works in a browser.
    1. In Firefox, select Tools > Options.
    2. Click Advanced.
    3. On the Encryption tab, click View Certificates. The Certificate Manager dialog appears.
    4. Click the Your Certificates tab and click Import.
    5. Select the <user>.p12 certificate
  2. Import the pkcs12 file if creating a WebDAV connection.
    1. On the local machine, double-click the certificate to open it. The Certificate dialog will appear.
    2. Click Install Certificate. The Certificate Import Wizard will appear.
    3. Click Next.
    4. Select the "Automatically select the certificate store based on the type of certificate" check box.
    5. Click Next. A message will appear indicating that you have successfully completed the certificate import.
    6. Click Finish. You'll now be able to open a WebDAV connection using this certificate. You can also open Studio and import the certificate directly.
    7. Use the Add Network Wizard to create a WebDAV network location with Windows, using the following URL:
      https://cert.staging.realm.demandware.net/on/demandware.servlet/webdav/Sites/Cartridges 
  1. Create a server connection via UX Studio.
    1. Open UX Studio.
    2. Click File > New > Digital Server Connection. The New Digital Server Connection dialog box will appear.
    3. Make sure you enter the new instance URL. It should be in the format of cert.staging.realm.customer.demandware.net.
    4. Click the "Use Certificate Authentication" check box.
    5. Browse to the keystore (pkcs12) file you want to import and click Select.
    6. Enter the password supplied to you by your administrator.
    7. Click Finish to connect.
You can now connect via UX Studio and WebDAV.


In summary (Mac and Windows):

  1. openssl req -new -sha256 -newkey rsa:2048 -nodes -out "$req" -keyout "$key"
    1. Generates a Certificate Signing Request (CSR) and private key
    2. Creates a .req file and a .key file (containing the CSR and private key, respectively)
  2. openssl x509 -req -in "$req" -out "$pem" -days "$days" -CA "$ca_cert" -CAkey "$ca_key" -CAserial "$ca_serial"
    1. Signs the CSR using the CA certificate, private key, and serial number file (.crt, .key, .srl)
    2. Prompts for the password from the .txt file (because the CA key is encrypted)
    3. Creates a .pem file (containing the X.509 certificate)
  3. openssl pkcs12 -export -in "$pem" -inkey "$key" -certfile "$ca_cert" -name "$user-$hostname" -out "$p12"
    1. Stores the certificate from step 2, private key from step 1, and CA certificate to a single file
    2. Creates a .p12 file (containing the signed client certificate, private key, and CA certificate)

Now you have the files that you'll need for two-factor authentication. 

Nummer des Knowledge-Artikels

000391641

 
Laden
Salesforce Help | Article