Apex Code Development You need to sign in to do that
Don't have an account?
ServiceDesk Admin 1 Certificate to Connect with SAP via Outbound Message
We are trying to get an Outbound Message to an SAP Endpoint URL.
So after double checking the Certificates. It seems that the Root Certificate on the Endpoint is a valid Salesforce.com CA:
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="V eriSign, Inc.", C=US
There is an Intermediary Certificate that does have the Root CA Authority (ISSUER) and the OWNER in this cert is on the SSL Certificate
Owner: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
And the SSL Certificate for the Endpoint (OWNER) does point to the Intermediate Certificate (ISSUER) CA Authority
Owner: CN=hds-solmandev.hdsmith.com, OU=solman, O="H.D Smith, LLC", L=Springfiel
d, ST=Illinois, C=US
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=
Symantec Corporation, C=US
Will this be enough to send an outbound message to the Endpoint URL? It keeps failing with the error: javax.net.ssl.SSLPeerUnverifiedException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The port is also open from Salesforce to the Endpoint URL
So after double checking the Certificates. It seems that the Root Certificate on the Endpoint is a valid Salesforce.com CA:
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="V eriSign, Inc.", C=US
There is an Intermediary Certificate that does have the Root CA Authority (ISSUER) and the OWNER in this cert is on the SSL Certificate
Owner: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
And the SSL Certificate for the Endpoint (OWNER) does point to the Intermediate Certificate (ISSUER) CA Authority
Owner: CN=hds-solmandev.hdsmith.com, OU=solman, O="H.D Smith, LLC", L=Springfiel
d, ST=Illinois, C=US
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=
Symantec Corporation, C=US
Will this be enough to send an outbound message to the Endpoint URL? It keeps failing with the error: javax.net.ssl.SSLPeerUnverifiedException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The port is also open from Salesforce to the Endpoint URL
We faced similar issue and after logging a case with Salesforce, here is the solution that we got. See if this helps you
Please ask your endpoint to ask present all the certificates. The order for certificates which your Server must be configured is like below:
1. Server certificate
2. Intermediate certificate that signed the server certificate, assuming that your server's certificate was not signed directly by a root certificate
3. Intermediate certificate that signed the intermediate certificate above, if applicable (some certificates have several levels of intermediate certificates)
4. Repeat step 3 for any remaining intermediate certificates.
Do not include the root certificate authority certificate · Note that the root certificate is not supposed to be sent by your server. Salesforce.com already has its own list of trusted certificates on file, and a certificate in the chain must be signed by one of those root certificate authority certificates.
Typically, the last certificate in the chain is the one that was signed by one of the trusted root certificate authority certificates
Other things can go wrong, but the above are the typical things that happen. Note that web browsers typically include popular intermediate certificates, such as VeriSign's intermediate certificates, so your web site might work in a web browser but fail in Salesforce.com. Salesforce.com trusts only the root certificates and does not directly trust any intermediate certificates. Thus, for a server certificate that was signed by an intermediate certificate to be trusted by Salesforce.com, your server must include all intermediate certificates in its returned certificate chain, and one of those intermediate certificates -- preferably, the last one in the chain -- must be trusted by one of the root certificate authority certificates that Salesforce.com trusts.
Cheers,
Ashish (http://www.asagarwal.com)