function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
prakash_sfdcprakash_sfdc 

Client certificate authentication on web service callout in Salesforce

I am trying to invoke 3rd party web-services from Salesforce using WSDL2APEX. The client has also shared a .p12 certificate which I need to use for client authentication while making web-service call from Salesforce along with username and password.

I converted above .pfx into base64 using openSSL and tried below:
stub.clientCert_x = 'base64encodedstring'; 
stub.clientCertPasswd_x = 'password used for importing .pfx (password used for protecting private key)'


I am not sure above password is same as keystore password. But this method is not working.

I converted .p12(.pfx) into .jks and imported the same in Salesforce and used below:
 
​stub.clientCertName_x = 'CertificateUniqueName';



Even above method didn't work. Tried the same with HTTP callouts, but no luck.

I am not sure where I am going wrong. I am getting response from the server that authentication certificate is missing, hence I believe that the callout is successful.

My client has used "GlobalSign Root CA" which is supported by Salesforce.

Please let me know if my approach is wrong. Should I first export .p12 into public and private keys and then use it ?
Lakshmi_lb14447Lakshmi_lb14447
Hi,

I am facing a similar issue, I too have tried all the options of sending the PFX file to the server for authentication.

Please let me if you have found any resolution ?

Thank You,
Lakshmi.
jaysunjaysun
Hi 
#TechAddict - you dont need to import .p12 in salesforce. 
To invoke webservice callout 
1. Add the webservice URL into remote site settings - This is mandatory 

Now you have two options. Self Signed Or CA signed :

2. Now you need to send salesforce's self signed certificate ( in this case dont mention password in Apex code just certificate name is sufficient)

3. Or send CA signed certificate  ( legacy process) to web service provider for them to trust into salesforce.com 
 If you use legacy process i.e. CA signed then you need to use password "that you used while importing CA signed certificae into salesforce" while making web service callout. Here you need to Base64 encode the certificate 
https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_client_certs_soap.htm

4. If you are not using CA signed certificate then you dont need to use password

The confusing term you have used is Third party web service. I believe webservice will always be external to your Org and hence its implicitly third party.

So you dont need import certificate provided by web service provider into salesforce but just need to add URL of the web services into remote sites.

Here is URL which explains how to configure 2-Way SSL. But I agree documentation doesn't explain how to configure for CA signed certificate.
https://developer.salesforce.com/page/Making_Authenticated_Web_Service_Callouts_Using_Two-Way_SSL

Let me know if this helps.
 
jaysunjaysun
Actually step 3( for CA signed)  is two fold proces 
1. Import CA provided certificate into salesforce - which will require to enter password while importing into salesforce

2. Now you need to click on the certificate name in salesforce which will display "Download Certificate" option 

This is the certificate you need to send to webservice provider for them to trust into salesforce ( while making callout)

Now you need to Base64 encode the downloaded certificate ( which is nothing but the string of characters ) and use in the Apex code
along with password that was used while IMPORTING in step 1.

 
jaysunjaysun
@Lakshmi_lb14447 @TechAddict
jaysunjaysun
My apology for incorrect mention on step #3.

The correct way for CA signed certificate usage is mentioned here .
https://help.salesforce.com/HTViewHelpDoc?id=security_keys_uploading_signed_cert.htm&language=en_US. So the password is NOT what you used while IMPORTING but must be knows to you ( I believe this has to be dervied in interaction between you and your certificate CA). 
Kalyan Erraguntla 5Kalyan Erraguntla 5
Is this issue fixed?