Metadata API Developer Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
ActionLinkGroupTemplate
AnalyticSnapshot
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTrigger
AppMenu
ApprovalProcess
AssignmentRules
AuraDefinitionBundle
AuthProvider
AutoResponseRules
CallCenter
Certificate
Community (Zone)
ConnectedApp
CorsWhitelistOrigin
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomLabels
Custom Metadata Types (CustomObject)
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
Dashboard
DataCategoryGroup
DelegateGroup
Document
EmailTemplate
EntitlementProcess
EntitlementTemplate
EscalationRules
ExternalDataSource
FlexiPage
Flow
FlowDefinition
Folder
GlobalPicklist
GlobalPicklistValue
Group
HomePageComponent
HomePageLayout
InstalledPackage
KeywordList
Layout
Letterhead
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
ModerationRule
NamedCredential
Network
Package
PathAssistant
PermissionSet
PlatformCachePartition
Portal
PostTemplate
Profile
Queue
QuickAction
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TransactionSecurityPolicy
Translations
WaveApplication
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveTemplateBundle
Workflow
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Certificate

Represents a certificate used for digital signatures which verify that requests are coming from your org. Certificates are used for either authenticated single sign-on with an external website, or when using your org as an identity provider. This type extends the MetadataWithContent metadata type and inherits its content and fullName fields.

File Suffix and Directory Location

Certificate components have the suffix .crt and are stored in the certs folder.

Version

Certificate components are available in API version 36.0 and later.

Fields

Field Name Field Type Description
caSigned boolean Required. Indicates whether this certificate is signed by the issuer (true) or not (false).
expirationDate dateTime The date that this certificate expires and is no longer usable. For self-signed certificates, if keySize is 2048 bits, the expiration date is automatically 1 year after you create the certificate. If keySize is 4096 bits, the expiration date is automatically 2 years after you create the certificate. For CA-signed certificates, expirationDate is automatically updated to the signed certificate’s expiration date when a signed certificate chain is uploaded. The date format is YYYY-MM-DD.
keySize int Certificate keys can be either 2048 bits or 4096 bits. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. Certificates with 2048-bit keys are faster than certificates with 4096-bit keys. If keySize isn’t specified when you create a certificate, the key size defaults to 2048 bits.
masterLabel string Required. A user-friendly name for the certificate that appears in the Salesforce user interface, such as in Certificate and Key Management. Limit: 64 characters.

Usage

The Metadata API can be used to create a self-signed or a CA-signed certificate. The .crt file’s contents are the certificate chain, which can be updated when you renew or update the intermediate certificate chain of a CA-signed certificate. After creating a CA-signed certificate, the .crt file contains a certificate signing request (CSR). For details, see About Salesforce Certificates and Keys in the Salesforce Help.

To copy an existing certificate’s X.509 parameter data to a new certificate, upload the existing certificate. You can also use this procedure to renew a certificate. A new private+public key pair is created with a new certificate. Salesforce doesn’t allow the import or export of the private key via the API. For details, see Repeating an Upload of a CA-Signed Certificate in Salesforce Help.

Using the Metadata API, you can download a CSR. After it’s CA-signed, you can upload it back to Salesforce.
  • Downloading a CSR. The CSR is downloadable after a CA-signed cert is created. If a signed certificate hasn’t been uploaded to that certificate, the content of the downloaded .crt file is the CSR.
  • Uploading a CA-Signed Certificate. To upload the signed certificate chain back to Salesforce, save the signed certificate chain as the content of the .crt file and update it via the Metadata API.

After the signed certificate chain is uploaded via the Metadata API, the CSR of that certificate can’t be downloaded via the API anymore. This is because the content of the .crt file is the signed certificate chain. However, the CSR can still be downloaded via the UI.

Note

Declarative Metadata Sample Definition

The following is an example of a Certificate component.

1<?xml version="1.0" encoding="UTF-8"?>
2<Certificate xmlns="http://soap.sforce.com/2006/04/metadata">
3<caSigned>true</caSigned>
4<expirationDate>2017-03-19</expirationDate>
5<keySize>4096</keySize>
6<masterLabel>My Certificate Name</masterLabel>
7</Certificate>