+ Start a Discussion

Salesforce Client Certificate


I would like to use Salesforce client certificate to validate the identity of outbond messages sent from Salesforce. How can I do this and is there an example?

Sorry, but the API Developer's Guide does not have much information on this.


I am using Tomcat BTW.
It very environment specifc, and there's lots of different environments that people are using, so its just not possible for us to doc the details on this for all those different environments. I'm afraid you're going to have to read the tomcat docs for SSL. (If you have apache HTTPD fronting your tomcat server, then you'd want to do this in the apache config instead)
You can find a good blog on setting up two way
SSL with tomcat here[1].

Let me know if you need more help.

[1] http://www.vorburger.ch/blog1/2006/08/setting-up-two-way-mutual-ssl-with.html

Thanks for posting the link.  However, after reading it, I'm still a little unclear as to what exactly I need to do to import the Salesforce certificate into Tomcat.

I would appreciate a code snippet if you have one.


Here are the steps:

1. Download the client certificate from sfdc (sfdc-client.cert)

2. Use keytool to import sfdc-client.cert into tomcat trust store.
    If you dont have a trust store already, you can copy cacerts
    keystore from JDK.

keytool -import -v -file sfdc-client.cer -keystore trust.keystore -storepass xxx

3. Configure tomcat to request client cert by changing server.xml

<connector ... clientauth="true" truststorefile="trust.keystore" >

4. Restart the server and try to access this page using browser.
   If your setup is good, browser should ask for client certificate.


Thanks for the response.

I followed the steps, but I'm having issues just accessing port 8443.  When I enter "https://localhost:8443" I get an unable to connect message in the browser.  Any help would be appreciated.

Also which page should I try to access to test the setup?

Thanks again!

>I get an unable to connect message in the browser.

Check tomcat log files. See if the SSL server started ok.

>Also which page should I try to access to test the setup?

Any page that you can access through http will do.

I'll try that -- thanks again!

I'm still having issues setting up tomcat and importing the certificate.

I followed the tomcat howto SSL instructions and executed the commands below:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

A .keystore file was created in my home directory. I filled in
my data and tested the port. The certificate I just created appears. [Is this
step correct and/or necessary?]

Next I tried importing the salesforce certificate

%JAVA-HOME%\bin\keytool -import -v -file sfdc-client.cert [Didn't work -- still
see the certificate that I created]

In short, I've tried several combinations -- none successful, so I was
re-reading your response and decided to ask again for assistance.
Please tell me where the tomcat trust store is.  Also, I would appreciate it if you
would also tell me where to copy the cacerts keystore to.

A beginning to end guide would be GREAT! However, any and all help is

Thanks again!
michael tangmichael tang
when I use keytool to input salesforce client certificate, why there is error message saying that "keytool error: java.lang.Exception: Input not an X.509 certificate".