+ Start a Discussion

Salesforce Client SSL certificate is expired


I am trying to get two-way SSL authentication working between Salesforce and my Tomcat server so I can send encrypted web service calls from Salesforce.  One way works just fine.  However, when I try using the Client Certificate that I downloaded from Setup > App Setup > Develop > API, it gets rejected with a "bad_certificate" IO Exception because Salesforce's certificate expired in 2004 (!!).  I'm not the only one having this problem (see http://community.salesforce.com/sforce/board/message?board.id=general_development&view=by_date_ascending&message.id=19703)  Does anyone know where the new certificate is?

Hi all ,
  Can anyone bring out the difference between a regular API and an Apex API. Is that means the usage of the URL's.Please brign out the difference soon..
is that the usage of the url https://www.salesforce .com is the regular and the https://login.salesforce .com is APEX?
seeking your reply..
Actually, what expired is the intermediate certificate that is bundled with Windows, you need to get an updated intermediate cert, the salesforce.com cert is fine.

After installing the new Intermediate cert via the following links, it is now saying that the Issuer of the Salesforce sfdc-client.cert is not recognized.  I think this is because the Issuer of the Salesforce certificate is the expired name that the directions below tell you to delete.  If the issuer is no longer recognized, doesn't Salesforce have to update their certificate?






I am trying to do the same thing without any success. Where you able to figure out how
to get tomcat to verify SF's client certificate? If so how? Did you install the intermediate
verisign certificate in the trusted keystore? Or in the keystore? Did you have to install
the SF certificate? (I don't see why though because the intermediate verisign certificate
should be enough to verrfy the trust chain)


The expired intermediate cert was replaced with this one.  If I recall correctly, you have to create a new keystore, self-signed cert, and cert signing request.  Then you must import the key-store in to the trusted keystore.
Thank you so much for your prompt request, and I apologize ahead for
not fully grasping your response. I am pretty new at this so please bear
with me.

I create a self signed cert with following command

$ keytool -genkeypair -alias ssigned -keyalg RSA \
    -keystore sample.jks -storepass changeit \
    -keypass changeit -dname 'cn=localhost'

then I self certify it:

$ keytool -selfcert -alias ssigned -keypass changeit \
    -keystore sample.jks -keypass changeit

Which key do I need to create a CSR for? My already self signed one?

In my early attempts I tried importing the intermediate certificate you
sent me a link for, in the trust keystore but it did not work. Which
steps am I missing?



Just to see a positive test case, I went and bought myself a personal certificate from Verisign. The certificate itself came with two intermediate certificates. For my tests:

  1. I extracted the certificate via the certificate backup mechanism in Firefox, which produces a PKCS12 keystore.
  2. I used keytool to convert the PKCS12 keystore into a JKS one, and I set my private key password to be the same as the keystore one.
  3. I configured my soapUI test client to use the JKS keystore.
  4. I ran my unit tests without any hitch, while my  Tomcat deployed web services were logging the client certificate Issuer and subject DNs with the following bit of code:
X509Certificate[] certs = (X509Certificate[])rqst.getAttribute
        ("javax.servlet.request.X509Certificate" );
if( certs != null && certs.length > 0) {
    for( int i =0; i < certs.length; ++i) {
        log.info("[" + i + "] Subject " + certs[i].getSubjectDN().getName());
        log.info("[" + i + "] Issuer " + certs[i].getIssuerDN().getName());
else log.info("no certs found in request");

In this experiment I did not have to install the intermediate certificates into the trustore that tomcat is using. So I start to question whether or not installing the verisign intermediate certificate anywhere on our tomcat server makes any sence. I believe that Saleforce SSL client should use a properly configured keystore with all the proper non expired intermediate certificates so that our tomcat instances can verify the salesforce client certificate trust chain. The onus of the intermediate certificates is on the client not on the server.

Of course these are simple observations that I derived from my test, and I whole heartedly admit that I am  a complete clueless newbie on these matters. So please Salesforce enlighten me on how to use your client certificate on tomcat, 'cuase I am on day 4 of this head wrecking crusade and I still get that **bleep** bad_certificate exception!

On a side not when I downloaded the certificate, the rfc encoded text came all in one line. I had to edit it
to import it.

Did you manage to fix your problem? I'm no expert by far and having tried any of the tips as I don't have this problem, but have a look at http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services, there seems to be a few tips, hints and solutions to some problems there on setting up SSL with a server.
Thanks for asking,

On the apex manual they tell you how to use your own certificate to embed it in the code that calls your web services. So the client certificate that SF supplies is simply useless.


Yogesh AroraYogesh Arora

Hi, I might be bumping a quite old thread, but thought someone of you might be able to help me.

I am working on integrating salesforce with an external service. They have provided me with a signed certificate, which i need to send along with the request. I am not sure how should I do that? Where in Salesforce can I store an already signed certificate?

Thanks in advance for any help.