Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Generate a Certificate Signed by a Certificate Authority

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Generate a Certificate Signed by a Certificate Authority

            A certificate authority-signed (CA-signed) certificate can be a more authoritative way to prove that your org’s data communications are genuine. You can generate this type of certificate and upload it to Salesforce.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To create, edit, and manage certificates: Manage Certificates
            1. From Setup, in the Quick Find box, enter Certificate and Key Management, and then select Certificate and Key Management.
            2. Select Create CA-Signed Certificate.
            3. Enter a descriptive label for the Salesforce certificate.
              This name is used primarily by administrators when viewing certificates.
            4. Enter a unique name. You can accept the name that’s populated based on the certificate label you enter.
              This name can contain only underscores and alphanumeric characters, and it must be unique in your org. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores. Use the unique name when referring to the certificate using the Lightning Platform API or Apex.
            5. Select a key size for your certificate and keys.
              For securing data in transit via TLS, we recommend using the default 2048-bit key size. For situations that require stronger keys, use a 3072-bit or 4096-bit key. For Shield Platform Encryption’s Bring Your Own Key service, use a 4096-bit key.
              Note
              Note After you save a Salesforce certificate, you can’t change its type or key size.
            6. Enter this information.
              These fields are combined to generate a unique certificate.
              FieldDescription
              Common Name The fully qualified domain name of the company requesting the signed certificate, generally of the form http://www.mycompany.com.
              Email Address The email address associated with this certificate.
              Company Either the legal name of your company or your legal name.
              Department The branch of your company using the certificate, such as marketing or accounting.
              City The city where the company resides.
              State The state where the company resides.
              Country Code A two-letter code indicating the country where the company resides. For the United States, the value is US.
            7. Save your work.

              After you save a Salesforce certificate, the certificate and corresponding keys are automatically generated.

            8. Find your new certificate from the certificates list, then select Download Certificate Signing Request.
              Downloaded certificate signing requests have .csr extensions.
            9. Send the certificate request to the certificate authority of your choice.
            10. After the certificate authority sends back the signed certificate, go back to Certificate and Key Management, select the name of the certificate, then select Upload Signed Certificate.
              The CA-signed certificate must match the certificate created in Salesforce. If you try to upload a different CA-signed certificate, the upload fails.
            11. To complete the upload process, save your work.

            After you upload the CA-signed certificate, the status of the certificate is changed to Active and you can use it.

            Tip
            Tip To edit a certificate that you uploaded, upload it again. Published site domains are republished if they have at least one Salesforce Site or Experience Cloud site. The certificate record’s expiration date is updated to the expiration date of the newly uploaded certificate.

            You can have up to 50 certificates.

            Note
            Note Some business processes require more certificates than others. If you require more than 50 certificates, contact Salesforce Customer Support.

            After you create a CA-signed certificate, it’s valid for one year. After that, the certificate must be renewed, which extends the expiration date.

            Important
            Important To comply with new CA/Browser Forum recommendations, certificate shelf life is being reduced. See Certificates in Salesforce to learn more.
            • If you use the “Serve the domain with the Salesforce Content Delivery Network (CDN)” HTTPS option, the Salesforce CDN partner automatically renews the certificate.
            • For other HTTPS options, contact your certificate authority (CA) to extend the certificate expiration date.
             
            Loading
            Salesforce Help | Article