Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Certificates and Keys

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Certificates and Keys

            Salesforce certificates and key pairs are used for signatures that verify a request is coming from your organization. They are used for authenticated SSL communications with an external website, or when using your organization as an Identity Provider. You only need to generate a Salesforce certificate and key pair if you're working with an external website that wants verification that a request is coming from a Salesforce organization.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To create, edit, and manage certificates: Manage Certificates
            • Certificates in Salesforce
              Understand how certificates are used in Salesforce and how they expire. To prevent disruption and potential downtime, replace your certificates before they expire. Processes can stop working when a certificate expires, which can lead to outages.
            • Generate a Self-Signed Certificate
              Generate a certificate signed by Salesforce to show that communications purporting to come from your organization are really coming from there.
            • Generate a Certificate Signed by a Certificate Authority
              A certificate authority-signed (CA-signed) certificate can be a more authoritative way to prove that your org’s data communications are genuine. You can generate this type of certificate and upload it to Salesforce.
            • Export and Import Certificates with a Keystore
              You can export all your certificates and private keys into a keystore for storage or import certificates and keys from a keystore. This keystore lets you move keys from one organization to another. The exported file is in the Java Keystore (JKS) format, and the imported file must also be in the JKS format.
            • Set Up a Mutual Authentication Certificate for API Login
              To improve security by preventing impersonation, you can require mutual authentication when a client app tries to access Salesforce data. With mutual authentication, the client app and the Salesforce server prove their identity to each other with signed certificates by using the Mutual Transport Layer Security (mTLS) protocol. As a prerequisite for mutual authentication, upload your client certificate to Salesforce.
            • Configure Your API Client to Use Mutual Authentication
              To use mutual authentication when calling Salesforce services via API, configure your client app to present your client certificate and chain to Salesforce. For security reasons, the client certificate must be used only in your org.
            • Manage Master Encryption Keys
              Encrypted custom fields, such as Social Security Number or Credit Card Number, are encrypted with a master encryption key. This key is automatically assigned when you select fields to encrypt. You manage your own master key according to your organization’s security and regulatory needs.
            • Set Expired Certificate Notification Permission
              Limit who's notified about expiring certificates by assigning the Receive Certificate Expiration Notifications permission. When you assign this permission to at least one admin, users with the System Administrator profile or the Modify All Data permission receive emails about an expiring certificate only the day before it expires and the day of expiry. Admins with the permission receive emails at 60, 30, and 10 days before a certificate expires. If you don’t assign this permission to anyone, all users with either the System Administrator profile or the Modify All Data system permission continue to receive all certificate expiration emails.
            • Manage Expired Certificates
              When you’re notified that a certificate authority (CA) or self-signed certificate is expiring, or when your org no longer needs a certificate, manage certificate deletion appropriately.
            • Replace the Default Proxy Certificate for SAML Single Sign-On
              The proxy.salesforce.com default certificate has been retired due to its expiration and for security best practices. If your Salesforce org uses this certificate for SAML single sign-on, act now to prevent a possible interruption of service.
             
            Loading
            Salesforce Help | Article