function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Josip Juric87Josip Juric87 

Two-way SSL securing client certificate?

Hi all! I have a question regarding certificates used to secure apex callouts with two-way-ssl connections. How is the client certificate (e.g. the self-signed certificate generated in SF) secured? Can it be "stolen", or is it registered against the my-domain of the org it has been generated in? Or is it registered against *.force.com, or is there no domain verification at all?
Best Answer chosen by Josip Juric87
pconpcon
The certificate is secured by not providing access to the private key.  While I'm pretty sure someone at Salesforce could get the private key, I do not see a way to get it via the UI.  The cert is not registered against a URL but the CN is set to name of the certificate you create.  For example, the following cert is a self-signed cert named Test and then read with the following command
  
openssl x509 -in Test.crt -text
  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:51:4f:93:b0:bb:00:00:00:00:3a:16:62:ff
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Test, OU=00D61000000YJTN, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
        Validity
            Not Before: Nov 28 19:30:57 2015 GMT
            Not After : Nov 28 12:00:00 2017 GMT
        Subject: CN=Test, OU=00D61000000YJTN, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:97:56:ad:ea:a3:6d:56:eb:e6:01:82:f6:6a:15:
                    88:fe:39:d3:14:89:3e:22:fa:d8:3b:2d:c0:23:97:
                    84:63:4f:80:f2:d5:82:1d:2f:69:e7:26:45:05:33:
                    76:75:53:e6:90:db:f6:d3:a8:38:e5:c8:66:2f:a2:
                    b4:2d:8e:47:4f:95:93:ce:8a:99:5c:19:6b:b4:c9:
                    4e:13:53:cc:1d:dd:aa:e9:10:b6:e3:85:cf:1a:e6:
                    97:43:cf:46:8d:68:3d:ff:28:3b:c7:25:63:92:44:
                    14:f2:b6:1f:44:eb:0d:a6:44:44:a1:44:f4:67:49:
                    ad:d7:be:6c:a0:43:76:93:ab:3f:c1:84:84:70:8c:
                    6e:68:96:7d:04:36:48:12:f6:0a:cd:05:16:af:22:
                    94:74:58:d1:3b:8a:3c:6e:ff:60:38:f6:b7:3c:9b:
                    75:13:3b:b6:4d:a2:fe:8d:7f:98:1d:72:52:cd:cb:
                    b5:bc:2c:b7:7b:a8:41:27:43:fe:ec:70:af:bc:16:
                    e1:c5:2e:d9:4b:82:97:d3:79:2d:b2:d4:f9:d5:ae:
                    69:31:f2:a0:62:65:1b:73:62:4f:7d:44:f2:46:16:
                    9d:18:0b:14:f8:04:7b:e9:ef:61:85:06:60:6c:0e:
                    f5:59:58:5f:47:33:f8:da:85:1f:96:e5:de:45:b3:
                    d5:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                45:73:3A:77:36:76:6D:82:20:6E:0B:98:98:21:06:60:BB:95:D2:96
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:45:73:3A:77:36:76:6D:82:20:6E:0B:98:98:21:06:60:BB:95:D2:96
                DirName:/CN=Test/OU=00D61000000YJTN/O=Salesforce.com/L=San Francisco/ST=CA/C=USA
                serial:01:51:4F:93:B0:BB:00:00:00:00:3A:16:62:FF

    Signature Algorithm: sha256WithRSAEncryption
        30:60:34:cd:64:01:d5:09:7b:71:69:f6:3c:bd:d0:a8:d1:7b:
        7c:3e:36:7e:7e:9b:71:50:01:95:92:68:54:ef:40:35:16:cd:
        11:2e:2f:73:03:3c:6d:9c:29:9e:d2:73:52:e6:4c:1d:e0:07:
        24:7b:17:a9:9a:98:39:7a:19:2e:5b:b2:e3:ef:4d:f9:a8:1f:
        9f:3c:43:00:c3:3b:cc:35:bc:93:b9:ef:59:62:bc:1c:e9:84:
        7f:54:13:8a:30:5e:99:e4:0c:c4:62:7c:10:46:c0:ea:8c:6c:
        37:19:6b:75:04:ab:d2:07:c6:94:22:e2:5b:e6:02:ba:fd:0b:
        35:fc:f5:0e:25:4c:b4:5c:f3:4a:d7:18:4b:e1:06:86:a1:f3:
        37:6f:6a:fe:09:b5:46:10:3a:9f:1f:39:75:19:54:a0:68:3d:
        b6:22:a8:98:ed:a3:5e:47:bc:e5:91:ed:04:c3:5a:c7:52:87:
        73:89:4a:03:b5:29:1e:38:6e:b2:ad:f3:8e:25:9f:33:c9:4d:
        9c:76:45:e2:b0:44:48:86:c1:ed:eb:99:b7:9f:41:bf:3d:4e:
        60:27:9a:07:3d:dd:bf:60:91:b6:fd:0a:d2:61:41:75:f6:f7:
        8d:50:76:aa:bb:03:74:f5:b5:b0:ba:52:a9:0c:1b:6d:9d:38:
        77:44:8b:8b
-----BEGIN CERTIFICATE-----
MIIEVTCCAz2gAwIBAgIOAVFPk7C7AAAAADoWYv8wDQYJKoZIhvcNAQELBQAwdTEN
MAsGA1UEAwwEVGVzdDEYMBYGA1UECwwPMDBENjEwMDAwMDBZSlROMRcwFQYDVQQK
DA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UE
CAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0xNTExMjgxOTMwNTdaFw0xNzExMjgxMjAw
MDBaMHUxDTALBgNVBAMMBFRlc3QxGDAWBgNVBAsMDzAwRDYxMDAwMDAwWUpUTjEX
MBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
CzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCXVq3qo21W6+YBgvZqFYj+OdMUiT4i+tg7LcAjl4RjT4Dy1YId
L2nnJkUFM3Z1U+aQ2/bTqDjlyGYvorQtjkdPlZPOiplcGWu0yU4TU8wd3arpELbj
hc8a5pdDz0aNaD3/KDvHJWOSRBTyth9E6w2mREShRPRnSa3XvmygQ3aTqz/BhIRw
jG5oln0ENkgS9grNBRavIpR0WNE7ijxu/2A49rc8m3UTO7ZNov6Nf5gdclLNy7W8
LLd7qEEnQ/7scK+8FuHFLtlLgpfTeS2y1PnVrmkx8qBiZRtzYk99RPJGFp0YCxT4
BHvp72GFBmBsDvVZWF9HM/jahR+W5d5Fs9XZAgMBAAGjgeIwgd8wHQYDVR0OBBYE
FEVzOnc2dm2CIG4LmJghBmC7ldKWMA8GA1UdEwEB/wQFMAMBAf8wgawGA1UdIwSB
pDCBoYAURXM6dzZ2bYIgbguYmCEGYLuV0paheaR3MHUxDTALBgNVBAMMBFRlc3Qx
GDAWBgNVBAsMDzAwRDYxMDAwMDAwWUpUTjEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQG
EwNVU0GCDgFRT5OwuwAAAAA6FmL/MA0GCSqGSIb3DQEBCwUAA4IBAQAwYDTNZAHV
CXtxafY8vdCo0Xt8PjZ+fptxUAGVkmhU70A1Fs0RLi9zAzxtnCme0nNS5kwd4Ack
exepmpg5ehkuW7Lj7035qB+fPEMAwzvMNbyTue9ZYrwc6YR/VBOKMF6Z5AzEYnwQ
RsDqjGw3GWt1BKvSB8aUIuJb5gK6/Qs1/PUOJUy0XPNK1xhL4QaGofM3b2r+CbVG
EDqfHzl1GVSgaD22IqiY7aNeR7zlke0Ew1rHUodziUoDtSkeOG6yrfOOJZ8zyU2c
dkXisERIhsHt65m3n0G/PU5gJ5oHPd2/YJG2/QrSYUF19veNUHaquwN09bWwulKp
DBttnTh3RIuL
-----END CERTIFICATE-----

All Answers

pconpcon
The certificate is secured by not providing access to the private key.  While I'm pretty sure someone at Salesforce could get the private key, I do not see a way to get it via the UI.  The cert is not registered against a URL but the CN is set to name of the certificate you create.  For example, the following cert is a self-signed cert named Test and then read with the following command
  
openssl x509 -in Test.crt -text
  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:51:4f:93:b0:bb:00:00:00:00:3a:16:62:ff
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Test, OU=00D61000000YJTN, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
        Validity
            Not Before: Nov 28 19:30:57 2015 GMT
            Not After : Nov 28 12:00:00 2017 GMT
        Subject: CN=Test, OU=00D61000000YJTN, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:97:56:ad:ea:a3:6d:56:eb:e6:01:82:f6:6a:15:
                    88:fe:39:d3:14:89:3e:22:fa:d8:3b:2d:c0:23:97:
                    84:63:4f:80:f2:d5:82:1d:2f:69:e7:26:45:05:33:
                    76:75:53:e6:90:db:f6:d3:a8:38:e5:c8:66:2f:a2:
                    b4:2d:8e:47:4f:95:93:ce:8a:99:5c:19:6b:b4:c9:
                    4e:13:53:cc:1d:dd:aa:e9:10:b6:e3:85:cf:1a:e6:
                    97:43:cf:46:8d:68:3d:ff:28:3b:c7:25:63:92:44:
                    14:f2:b6:1f:44:eb:0d:a6:44:44:a1:44:f4:67:49:
                    ad:d7:be:6c:a0:43:76:93:ab:3f:c1:84:84:70:8c:
                    6e:68:96:7d:04:36:48:12:f6:0a:cd:05:16:af:22:
                    94:74:58:d1:3b:8a:3c:6e:ff:60:38:f6:b7:3c:9b:
                    75:13:3b:b6:4d:a2:fe:8d:7f:98:1d:72:52:cd:cb:
                    b5:bc:2c:b7:7b:a8:41:27:43:fe:ec:70:af:bc:16:
                    e1:c5:2e:d9:4b:82:97:d3:79:2d:b2:d4:f9:d5:ae:
                    69:31:f2:a0:62:65:1b:73:62:4f:7d:44:f2:46:16:
                    9d:18:0b:14:f8:04:7b:e9:ef:61:85:06:60:6c:0e:
                    f5:59:58:5f:47:33:f8:da:85:1f:96:e5:de:45:b3:
                    d5:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                45:73:3A:77:36:76:6D:82:20:6E:0B:98:98:21:06:60:BB:95:D2:96
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:45:73:3A:77:36:76:6D:82:20:6E:0B:98:98:21:06:60:BB:95:D2:96
                DirName:/CN=Test/OU=00D61000000YJTN/O=Salesforce.com/L=San Francisco/ST=CA/C=USA
                serial:01:51:4F:93:B0:BB:00:00:00:00:3A:16:62:FF

    Signature Algorithm: sha256WithRSAEncryption
        30:60:34:cd:64:01:d5:09:7b:71:69:f6:3c:bd:d0:a8:d1:7b:
        7c:3e:36:7e:7e:9b:71:50:01:95:92:68:54:ef:40:35:16:cd:
        11:2e:2f:73:03:3c:6d:9c:29:9e:d2:73:52:e6:4c:1d:e0:07:
        24:7b:17:a9:9a:98:39:7a:19:2e:5b:b2:e3:ef:4d:f9:a8:1f:
        9f:3c:43:00:c3:3b:cc:35:bc:93:b9:ef:59:62:bc:1c:e9:84:
        7f:54:13:8a:30:5e:99:e4:0c:c4:62:7c:10:46:c0:ea:8c:6c:
        37:19:6b:75:04:ab:d2:07:c6:94:22:e2:5b:e6:02:ba:fd:0b:
        35:fc:f5:0e:25:4c:b4:5c:f3:4a:d7:18:4b:e1:06:86:a1:f3:
        37:6f:6a:fe:09:b5:46:10:3a:9f:1f:39:75:19:54:a0:68:3d:
        b6:22:a8:98:ed:a3:5e:47:bc:e5:91:ed:04:c3:5a:c7:52:87:
        73:89:4a:03:b5:29:1e:38:6e:b2:ad:f3:8e:25:9f:33:c9:4d:
        9c:76:45:e2:b0:44:48:86:c1:ed:eb:99:b7:9f:41:bf:3d:4e:
        60:27:9a:07:3d:dd:bf:60:91:b6:fd:0a:d2:61:41:75:f6:f7:
        8d:50:76:aa:bb:03:74:f5:b5:b0:ba:52:a9:0c:1b:6d:9d:38:
        77:44:8b:8b
-----BEGIN CERTIFICATE-----
MIIEVTCCAz2gAwIBAgIOAVFPk7C7AAAAADoWYv8wDQYJKoZIhvcNAQELBQAwdTEN
MAsGA1UEAwwEVGVzdDEYMBYGA1UECwwPMDBENjEwMDAwMDBZSlROMRcwFQYDVQQK
DA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UE
CAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0xNTExMjgxOTMwNTdaFw0xNzExMjgxMjAw
MDBaMHUxDTALBgNVBAMMBFRlc3QxGDAWBgNVBAsMDzAwRDYxMDAwMDAwWUpUTjEX
MBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
CzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCXVq3qo21W6+YBgvZqFYj+OdMUiT4i+tg7LcAjl4RjT4Dy1YId
L2nnJkUFM3Z1U+aQ2/bTqDjlyGYvorQtjkdPlZPOiplcGWu0yU4TU8wd3arpELbj
hc8a5pdDz0aNaD3/KDvHJWOSRBTyth9E6w2mREShRPRnSa3XvmygQ3aTqz/BhIRw
jG5oln0ENkgS9grNBRavIpR0WNE7ijxu/2A49rc8m3UTO7ZNov6Nf5gdclLNy7W8
LLd7qEEnQ/7scK+8FuHFLtlLgpfTeS2y1PnVrmkx8qBiZRtzYk99RPJGFp0YCxT4
BHvp72GFBmBsDvVZWF9HM/jahR+W5d5Fs9XZAgMBAAGjgeIwgd8wHQYDVR0OBBYE
FEVzOnc2dm2CIG4LmJghBmC7ldKWMA8GA1UdEwEB/wQFMAMBAf8wgawGA1UdIwSB
pDCBoYAURXM6dzZ2bYIgbguYmCEGYLuV0paheaR3MHUxDTALBgNVBAMMBFRlc3Qx
GDAWBgNVBAsMDzAwRDYxMDAwMDAwWUpUTjEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQG
EwNVU0GCDgFRT5OwuwAAAAA6FmL/MA0GCSqGSIb3DQEBCwUAA4IBAQAwYDTNZAHV
CXtxafY8vdCo0Xt8PjZ+fptxUAGVkmhU70A1Fs0RLi9zAzxtnCme0nNS5kwd4Ack
exepmpg5ehkuW7Lj7035qB+fPEMAwzvMNbyTue9ZYrwc6YR/VBOKMF6Z5AzEYnwQ
RsDqjGw3GWt1BKvSB8aUIuJb5gK6/Qs1/PUOJUy0XPNK1xhL4QaGofM3b2r+CbVG
EDqfHzl1GVSgaD22IqiY7aNeR7zlke0Ew1rHUodziUoDtSkeOG6yrfOOJZ8zyU2c
dkXisERIhsHt65m3n0G/PU5gJ5oHPd2/YJG2/QrSYUF19veNUHaquwN09bWwulKp
DBttnTh3RIuL
-----END CERTIFICATE-----
This was selected as the best answer
Josip Juric87Josip Juric87
Hi pcon, thanks for the information. I understand now, how the security is enforced.
Can you also explain me, what the CN is and what it affects/controls?
pconpcon
The CN is the Common Name [1] for the cert.  When providing it for use as a SSL cert for an HTTP server the CN has to equal the requested hostname of the server or else most modern browsers will reject the cert because of man-in-the-middle [2] attacks.  In this case since the SSL cert is not being used for an HTTP server and it is being used for a two-way authentication the CN does not matter.

[1] http://info.ssl.com/article.aspx?id=10048
Josip Juric87Josip Juric87
OK, thank you for the explanation!