Loading

Marketing Cloud Engagement | Frequently Asked Questions: Server Certificates and Certificate Renewals

Julkaisupäivä: Mar 19, 2026
Kuvaus

This article covers the impact of server certificate renewals on SSL/TLS communication in Marketing Cloud Engagement (MCE), as well as the recommended client-side configuration to prevent connectivity issues. Topics include trust store configuration aligned with Mozilla Root Store Policy, steps to take when API connectivity errors occur, frequently asked questions, and items to verify before contacting Support.

Ratkaisu

Prerequisites

Whether a certificate renewal affects your environment depends entirely on your client-side configuration. Salesforce Support cannot inspect the internal settings of your environment, and therefore cannot make individual determinations about whether your specific configuration will be affected or advise on exactly which settings to change.

To proactively prevent connectivity errors, the most reliable approach is to ensure that all devices accessing the servers subject to renewal (API clients or PCs) are configured to trust the full set of root certificates included in the Mozilla list, as recommended in this article. If this configuration is in place, certificate renewals will not cause connectivity issues. We appreciate your understanding and cooperation.

Reference:
Important Update for Marketing Cloud Engagement Customers: End of Support for Certificate Pinning
https://trailhead.salesforce.com/ja/trailblazer-community/feed/0D5KX00000KDKZw0AP
 
 

1. How Certificate Validation Works

During SSL/TLS communication, the connecting client validates the authenticity of the server certificate. Validation is performed against three primary criteria: whether the certificate is within its validity period, whether it matches the domain of the server being connected to, and whether a trusted root Certificate Authority (CA) serves as the anchor of the certificate chain. If any of these conditions are not met, the SSL/TLS handshake fails and the HTTPS connection is terminated.

In MCE's standard certificate renewal process, the certificate presented is always valid and matches the appropriate domain. As a result, certificate expiry and domain mismatch are not typically a concern during renewals. Whether a connection succeeds after a renewal depends primarily on whether the client's trust store is configured to trust the root certificate that anchors the presented certificate chain.

[Note: Access via web browsers on general PCs and smartphones]
In this article, "client" refers not only to systems performing API integrations, but also to web browsers on general PCs and smartphones. However, mainstream operating systems and browsers automatically manage and update their root certificate lists through their respective vendors. Since MCE uses certificates from CAs that comply with Mozilla's policy, access from general users will not be disrupted as long as a Bring Your Own Certificate (BYOC) configuration is not in use for SAP domains.
 
 

2. Issues That May Occur When the Server Certificate Is Not Trusted

If the server certificate is not recognized as valid (trusted) by the client — whether a browser or an API client — a secure TLS/SSL connection cannot be established, resulting in various errors. If connectivity issues arise, review the following based on the relevant endpoint.
 
Connection Target
Examples of Issues That May Occur
Verification and Resolution
1. API Endpoints
Requests from API clients fail at the connection level. TLS-related errors are recorded in the application logs on the API client side.
Contact the infrastructure administrator responsible for the API client environment. Verify that the root certificate of the target API server is registered as trusted in the API client's trust store.
2. Marketing Cloud Engagement Admin Console
Security warnings appear in the browser, pages do not render correctly, or certain features do not function as expected in the UI.
The certificate used by this service is trusted by standard operating systems and browsers. If this error occurs, it is likely that the trust store on the affected PC has been intentionally restricted, or that an intermediate network device (e.g., a proxy) is interfering. Configure the environment to trust the full certificate chain from the relevant root CA, or contact the team responsible for managing the PC and network.
3. SAP / Private Domain (Clicks, Views, Images, CloudPages, etc.)
Images in emails do not display, tracking links do not function, View as Web Page does not work, CloudPages are inaccessible, etc.
These endpoints are intended for access by general recipients. In standard user environments, the server certificate for SAP/Private Domain is trusted by default and this issue should not occur. However, issues may arise when accessing from environments with strict security configurations, such as certain corporate networks. If the issue is reproducible only from specific PCs or internal environments, the PC administrator or IT team should take the same steps as described in row 2 above.
 
 
 
 

3. Unsupported and Non-Recommended Configurations

The following configurations are defined as unsupported or not recommended in MCE, as they are likely to cause connectivity failures during certificate renewals (rotations).

3.1. Certificate Pinning — Unsupported

This refers to a configuration in which the hash value of a specific server certificate or intermediate certificate is hardcoded within an application. Because MCE rotates certificates periodically as part of its security maintenance, this configuration will result in connection failures immediately after a certificate renewal.

3.2. Restricting Trust to Specific Root Certificates — Not Recommended

Configurations that selectively allow only specific CAs from the standard root certificate list and maintain a custom whitelist (e.g., permitting DigiCert Global Root G1 only, while blocking G2/G3) are not recommended. When MCE changes the CA it uses (e.g., transitioning from G1 to G2), clients in this configuration will fail validation and become unable to connect. Trusting the full list of root certificates, rather than relying on specific ones, is recommended for stable operation.
 
 

4. Recommended Configuration

To prevent connectivity errors when connecting to MCE, the following configuration is recommended.
Compliance with Mozilla Root Store Policy (Recommended)
MCE uses Certificate Authorities (CAs) that comply with Mozilla's policy. Therefore, for all client environments (Java, .NET, OpenSSL, browsers, etc.), we recommend and support a configuration that broadly trusts all root certificates included in Mozilla's list. By maintaining this configuration, trust relationships are automatically preserved even when root certificate generations change (e.g., G2, G3) or when the CA itself changes.
 
 

5. Frequently Asked Questions (FAQ)

Q. Should I register DigiCert Global Root G2 or G3?
A. Please register all root certificates included in the Mozilla list comprehensively, including both G2 and G3. Restricting trust to a specific version constitutes a non-recommended configuration and may cause future connectivity errors.
 
Q. Will advance notice be provided before a certificate renewal? Can the certificate data be distributed in advance?
A. As a general rule, advance individual notification and pre-distribution of certificate data are not provided. If the recommended configuration is in place, certificate renewals will not impact connectivity, regardless of whether advance notice is given.
 
Q. Is pre-validation (connectivity testing) available?
A. A dedicated environment for certificate validation testing is not provided. Please prioritize verifying that the trust store in your client environment conforms to the recommended configuration.
 
Q. Are there any actions required by MCE administrators in connection with a server certificate renewal?
A. Except for SAP domains where customers bring their own SSL certificates (BYOC), no actions are required in the MCE admin console. For any configuration changes that may be needed on your own systems, please review this article and the applicable services subject to certificate renewal, then consult the server administrators for your API clients and the administrators responsible for your PCs and network.
 
Q. Where can I find information about the root CA used by MCE's server certificates?
A. Server certificate information can be verified using a standard web browser. The steps for Google Chrome are as follows:
  • Enter the URL of the endpoint you wish to inspect in the address bar and navigate to it
  • Click the tuning icon (two horizontal lines icon) on the left side of the address bar
  • Select "Connection is secure" from the menu that appears
  • Click "Certificate is valid"
  • In the certificate viewer that appears, review the root certificate and intermediate certificate details
 
 
 

6. Items to Verify Before Contacting Support

To enable us to provide smooth and efficient support, please confirm the following two points internally before submitting a support request.
 
  1. Verify that the client-side trust store is using a standard configuration — Confirm with your API client administrators and PC administrators that certificate pinning is not in use and that root certificates are not restricted by custom criteria, but are instead aligned with a standard list such as Mozilla's.
  2. Identify the communication path — Clearly identify the client initiating the connection and the MCE server or feature being connected to. Please describe the specific situation in your inquiry, including which feature is affected, or if you are uncertain which service is targeted by the certificate renewal information you have encountered.
Knowledge-artikkelin numero

005299113

 
Ladataan
Salesforce Help | Article