Contents

Client Certificate Expiration


What is the change?

On December 7, 2013, the certificate used by proxy.salesforce.com for outbound SSL/TLS connections will expire. Customers impacted by this change include those using SAML authentication, Delegated Authentication over HTTPS, or Workflow Outbound Messaging callouts.


We will update the certificate used by proxy.salesforce.com according the following schedule:


All Sandbox (CS) instances EXCEPT CS5 and CS6:
Wed, Dec 4, 2013 from 0:00 to 10:00 UTC/GMT
Tue, Dec 3, 2013 from 16:00 to Wed, Dec 4 2:00 PST

Sandbox instances CS5 and CS6:
Wed, Dec 4, 2013 from 13:00 to 20:00 UTC/GMT
Wed, Dec 4, 2013 from 22:00 to Thu, Dec 5 5:00 JST

All EU instances:
Wed, Dec 4, 2013 from 21:00 to Thu, Dec 5 4:00 UTC/GMT

All NA instances:
Thu, Dec 5, 2013 from 1:00 to 11:00 UTC/GMT
Wed, Dec 4, 2013 from 17:00 to Thu, Dec 5 3:00 PST

All AP instances:
Thu, Dec 5, 2013 from 13:00 to 20:00 UTC/GMT
Thu, Dec 5, 2013 from 22:00 to Fri, Dec 6 5:00 JST


You can find the new certificate here: https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001oAF&fId=0D53000001JskgN.


The new certificate will be valid until October 17, 2017.


Who is impacted by this change?

Only customers who use proxy.salesforce.com certificates will be affected by this change. This includes include those using SAML authentication, Delegated Authentication over HTTPS, or Workflow Outbound Messaging callouts.


To identify whether you are using any of the above, you can follow these steps:

  • SAML: Check the Single Sign On settings page by navigating to <Your Name> | Setup | Security Controls | Single Sign On Settings. Check if theSAML Enabled preference is enabled and if SAML SSO has been configured on the SAML Single Sign On Setting page.
  • Delegated Authentication: Please contact customer support to check whether the Single Sign On: Delegated Authentication permission is enabled.
  • Workflow Outbound Messaging: Navigate to <Your Name> | Setup | App Setup | Create | Workflow & Approvals | Outbound Messages to understand if this is enabled.


You will need to download the new client certificate and set up your configuration depending on how your organization uses it by December 3 (Sandbox) and December 4 (production).


You can find the new certificate here: https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001oAF&fId=0D53000001JskgN


Customers who are doing an exact match check on the client certificate will need to update their endpoint to trust both the old and new client certificates.Customers using SAML will need to trust both the old and new certificates. While multiple certificates per provider should be supported, some SAML Identity Providers may have issues with handling multiple certificates from a single Service Provider.


I think I may be affected by this change. What action do I need to take?

If your organization currently uses proxy.salesforce.com certificates, you have two options for ensuring they remain up-to-date prior to December 3 (Sandbox) and December 4 (production):

  1. Switch to org-specific certificate settings. To help you manage these types of certificate expirations, we’ve introduced a new feature that allows you to configure an org-level certificate in lieu of using the proxy.salesforce.com certificate. Please note: Only SAML authentication is supported at this time. Delegated Authentication and Workflow Outbound Messaging callouts will support the org level certificate configuration in a subsequent release. Information on how to configure SAML SSO is available here: http://help.salesforce.com/HTViewHelpDoc?id=sso_saml_idp_values.htm&language=en_US General guidelines for configuring SAML SSO settings are available here: http://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=en_US#sso_saml
  2. Update all references to proxy.salesforce.com in your organization settings. Alternately, to ensure a seamless transition, you can configure endpoints to trust the proxy.salesforce.com certificate chain, including the root and client certificates. If you are doing an exact match check on the client certificate, you will also need to update the endpoint to trust both the old and new client certificates.


What will happen if I take no action?

If you are using proxy.salesforce.com certificates, we highly recommend you take action no later than December 3 (Sandbox) and December 4 (production). If you do not update and trust the new certificate, you may encounter the following issues, depending on how you use certificates:

  • SAML: System Administrators may see signature validation errors on SAML requests.
  • Delegated Authentication: System administrators may observe login failures in the login history for their organization. End users may experience login failures with messages such as “Your company's authentication service is currently down. Please contact the administrator at your company for more information.”
  • Workflow Outbound Messages: System administrators may observe queued messages in Setup | Monitoring | Outbound Messages.


Where do I go for further information?

You can find the new certificate here: https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001oAF&fId=0D53000001JskgN


Salesforce.com support is always available to answer any questions you may have about this change. We appreciate your business and look forward to working with you to support your continued success.