+ Start a Discussion
zgcharley_09zgcharley_09 

Salesforce SSL certificate change to SHA-256

Hi,

As per then announcement at there https://help.salesforce.com/apex/HTViewSolution?id=000206493&language=en_US (https://help.salesforce.com/apex/HTViewSolution?id=000206493&language=en_US) ,   the algorithm of certificate will be upgrade to SHA-256. 

I did test for my application with test the test endpoint https://sha2test.salesforce.com/services/Soap/u/32.0 and I got "(411)Length Required" error response. I'd like to confirm, is the SSL test passed?
Scott HungScott Hung
Doesn't sound too promising.  When I go to:  https://sha2test.salesforce.com/s/  then I get a "SHA-256 Compatibility Test Passed".
zgcharley_09zgcharley_09
I mean for the middleware/integration test, not web browsers. 
JaganCJaganC
When I tested my integrations replacing SF endpoints with https://sha2test.salesforce.com/services/Soap/u/32.0 ,  I got connection refused error. Does this indicate that my app servers doesn't support sha256 certificates?
Steven LawranceSteven Lawrance
Fortunately, the 411 Length Required error is sufficient to establish that the TLS layer was successfully established. The main part of the test is to ensure that a HTTP layer or SOAP layer error response is returned instead of a TLS layer error.

I unfortunately didn't see this thread until just now. The main conversation for this change has been taking place on the Official: Certificate Changes group in the Success Community at https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001oAF . I hope that this response isn't too late.

A connection refused error to sha2test.salesforce.com is likely to indicate a local firewall blocking access with an ICMP port-unreachable response. On the open Internet, that URL works. It's likely that the firewall will need to get adjusted to allow access to 136.146.31.247 and 136.146.47.247, which are the IP addresses behind sha2test.salesforce.com.