function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
VikVik 

2-Way SSL Mutual Auth

To integrate our application with Salesforce we have to do 2-Way Mutual Auth with Salesforce.

To make 2-Way mutual Auth work, Salesforce needs to import root-ca and intermediate-ca in their trust store. Is it possible for salesforce to do that?

Our organisation will not accept any other alternative when it comes to security but only 2-way mutual Auth.

Best Answer chosen by Admin (Salesforce Developers) 
Shilpa_SFShilpa_SF

Hi,

 

    The Self-Signed certificates generated by Salesforce, are not linked to the Salesforce.com CA-Signed certificates that secure our servers. They are stand alone certificates.

If your external service does not accept a self-signed certificate, then you must generate a CA-Signed Certificate for use in Salesforce. Here are steps on how to do that:

1) Go to Setup -> Administrative Setup -> Security Controls -> Certificate and Key Management
2) Click New CA-Signed Certificate
3) Type 'Invoice Service Client Certificate' as label and 'invoice_service' as unique name
4) The values for Common Name, Email Address, Company, Department, City, State and Country Code are more or less dictated by who will be signing your certificate. If you want VeriSign to sign it, they have requirements that these values match your real identity.

Then you will need to have this certificate signed by a Certificate Authority.

1. Download a certificate signing request by clicking Download Certificate Signing Request on the certificate detail page.
2. Send this request (it will be a file) to a Certificate Authority to be sign.
3. They will return another file which you then upload into Salesforce by clicking Upload Signed Certificate.

Please let me know if this answers your question.

All Answers

Shilpa_SFShilpa_SF

Hi,

 

    The Self-Signed certificates generated by Salesforce, are not linked to the Salesforce.com CA-Signed certificates that secure our servers. They are stand alone certificates.

If your external service does not accept a self-signed certificate, then you must generate a CA-Signed Certificate for use in Salesforce. Here are steps on how to do that:

1) Go to Setup -> Administrative Setup -> Security Controls -> Certificate and Key Management
2) Click New CA-Signed Certificate
3) Type 'Invoice Service Client Certificate' as label and 'invoice_service' as unique name
4) The values for Common Name, Email Address, Company, Department, City, State and Country Code are more or less dictated by who will be signing your certificate. If you want VeriSign to sign it, they have requirements that these values match your real identity.

Then you will need to have this certificate signed by a Certificate Authority.

1. Download a certificate signing request by clicking Download Certificate Signing Request on the certificate detail page.
2. Send this request (it will be a file) to a Certificate Authority to be sign.
3. They will return another file which you then upload into Salesforce by clicking Upload Signed Certificate.

Please let me know if this answers your question.

This was selected as the best answer
Bart Caelen (BCiT)Bart Caelen (BCiT)

I'm also trying to set up a 2-Way SSL Authentication, but I'm not sure what I need to enter in the Common Name field.

 

Can I just enter someting like tickets.bcit.be or does it need to be something pointing to SFDC?  And do I need to do something with tickets.bcit.be (DNS, redirect, ....).

 

Tips are more than welcome.

 

 

ZenfairZenfair

We have very same situation. Once we upload the signed certificate, how can we import webervice root.cer and other intermediate certificates?

 

Thanks for the help

sailedawaysailedaway

Ya if anyown gets the answer to this let me know. Premiere support is worthless in this case I cannot get any help. In fact they flat out refused to help.