+ Start a Discussion
karthik karthikkarthik karthik 

Mutual Authentication Certificate Error


I enabled Mutual authentication in salesforce and also i added certificate in salesforce, for testing purpose i tested my certificate from soapui tool while i testing i got the following error. Its urgent please help me......

Error:  <html><head><title>Certificate Error</title></head><body bgcolor=#ffffff text=#3198d8><center><img src="http://www.sfdcstatic.com/common/assets/img/logo-company.png"><p><h3>Client certificate error:<i>unable to verify the first certificate</i></h3></center></body></html>
Is your client certificate signed by one of the valid SSL CAs listed here [1]?

[1] https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates
karthik karthikkarthik karthik
Hi pcon,

Thanks for your response. The client certificate is available in the List. You have any idea on that error.

karthik karthikkarthik karthik
Still i'm getting the same error, Please i need some urgent help.  Thanks in advance.

You've probably figured it out by now, but having just gotten it to work myself I thought I'd share...

The certificate signing request must be created outside of Salesforce.  Do not use Salesforce's Create CSR link.  The reason for this is you need to have both your csr AND your private key.

I created our key and CSR with the commands:

openssl genrsa -out gencsr.key 2048
openssl req -new -sha256 -key gencsr.key -out gencsr.csr

After getting our client's networking group to sign the CSR, we were returned four files: ServerCertificate.crt, Intermediate1.crt, Intermediate2.crt, and Root.crt.

I concatenated ServerCertificate.crt and Intermediate1.crt together into a single certificate.crt, and loaded that into Salesforce as a Mutual Authentication Certificate.

Then I used the curl command below to verify it was working.  Note: if you're on a Mac the curl command won't work because Apple hacked it to use its own keychain stuffs.  I wasn't able to get those to work so my easiest path was to use the curl that came with git-bash in my Windows-7 Fusion VM:

curl -v -k \
	https://cs4.salesforce.com:8443/services/Soap/u/31.0 \
	-H "Content-Type: text/xml; charset=UTF-8" \
	-H "SOAPAction: login" \
	-d @gagne.txt \
	--key gencsr.key \
	--cert certificate.crt

My sandbox instance was on cs4.  Using "test.salesforce.com" times-out.  Don't bother.

The SOAP command inside gagne.txt resembles:

<?xml version="1.0" encoding="utf-8" ?>
<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <n1:login xmlns:n1="urn:partner.soap.sforce.com">

If you haven't whitelisted your client's IP address, you will need to append a security token after the password.

In all, the most important things to remember was:
  1. generate your own private key and CSR using openssl
  2. the certificate for ust was the ServerCertificate.crt and the first intermediate concatenated together
  3. curl needed both the --key and --cert parameters
    1. if your private key has a passphrase, include that as "--pass passphrase"
  4. don't use OSX's curl -- it's been ruined.  Build it yourself or use curl on another box.