Impact on MuleSoft Applications - Salesforce Certificate Update (DigiCert Global Root G2)

GOAL

To inform MuleSoft customers about the upcoming Salesforce Root Certificate change scheduled for February 5, 2026, and to provide verification steps to ensure connectivity between MuleSoft applications and Salesforce is not interrupted.

SUMMARY

Salesforce has announced that starting February 5, 2026, their digital certificate infrastructure will migrate to chain from the DigiCert Global Root G2.

Any MuleSoft application connecting to Salesforce (e.g., using the Salesforce Connector, HTTP Requester, or Pub/Sub Connector) acts as a client. These applications must have the DigiCert Global Root G2 certificate present in their trust store to successfully validate the handshake. If this certificate is missing, integrations may fail with SSL/TLS handshake errors such as: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

AFFECTED PRODUCTS & SOLUTION

1. CloudHub 1.0 and CloudHub 2.0

Fully Supported / No Action Required for Latest Updates

MuleSoft’s managed cloud infrastructure (CloudHub and CloudHub 2.0) is regularly patched with the latest security updates and Java versions.

• Customers using the latest Runtime releases on CloudHub/CloudHub 2.0 are already running on Java versions that include the DigiCert Global Root G2.

• Recommendation: Ensure your applications are not pinned to deprecated or end-of-life Runtime versions. If you are on a supported release, no action is needed.

• If your application uses a custom truststore, verify that the truststore also contains the DigiCert Global Root G2 certificate. If it is missing, import the certificate to avoid SSL/TLS handshake failures.

2. On-Premise, Runtime Fabric (RTF), and Hybrid Standalone

Customer Action Required (Verify Java Version)

For runtimes hosted in your own environments (Data Centers, Private Cloud, AWS/Azure self-hosted), the presence of the root certificate depends on the Java Development Kit (JDK) or Java Runtime Environment (JRE) version currently installed on the server.

You are safe if your Mule Runtime is running on:

• Java 8: Update 75 (8u75) or newer.

• Java 17: All versions.

If you are running a Java 8 version older than 8u75 (released Jan 2016), you must upgrade your Java installation or manually import the certificate into your truststore before February 5, 2026.

HOW TO VERIFY

To confirm if your current environment trusts the new root, access the server hosting your Mule Runtime and run the following command against your cacerts file (default password is usually changeit):

Linux / macOS:

$JAVA_HOME/bin/keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit | grep "digicertglobalrootg2"

Windows:

"%JAVA_HOME%\bin\keytool" -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storepass changeit | findstr "digicertglobalrootg2"

Interpreting Results:

• If any output is returned: The certificate is present (digicertglobalrootg2). You are prepared for the change.

• If no output is returned: You are using an older Java version. You must upgrade your JDK/JRE or manually import the DigiCert Global Root G2.