function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

How to verify certificate in an inbound API call when using Mutual TLS

I have a incoming API call from an external system that uses Mutual TLS. I want to verify if the cert that comes in the incoming call to Salesforce is from the right client that has access to our instance.
ie, to verifiy the cert coming has a specific common name that we have authorized.

Is there a way to do this verification in Salesforce?
Khan AnasKhan Anas (Salesforce Developers) 
Hi Bergin,

Greetings to you!

Certificate Chain Validation:

When your API client connects to your organization's API endpoint on port 8443, that endpoint sends a client certificate request during the TLS handshake. That request has an empty list of client certificate authority names. The API client needs to send a client certificate chain - the client certificate along with all intermediate certificates that exist in the trust path between the client certificate and its root certificate - to Salesforce during the TLS handshake.

Salesforce uses standard certificate chain validation to ensure that the client certificate chain is signed properly and is trusted by a root certificate in Salesforce. This includes a temporal check of all certificates' validity timestamps along with revocation checks using certificate revocation lists. The signature of each certificate in the chain is validated using the public key in its issuer's certificate.

Certificate Identity Verification:

The client certificate's identity information is passed along in the request to the Salesforce application servers. Within Salesforce's application servers, a verification of the client certificate's identity occurs if the user has the "Enforce SSL/TLS Mutual Authentication" user permission enabled.

When a user with the "Enforce SSL/TLS Mutual Authentication" user permission enabled accesses Salesforce, the client certificate's identity information is used to look up the mutual authentication certificate from the org. If the certificate is found and matches the client certificate that was sent to Salesforce, access is granted, but if it does not match or is not found, then access is denied. If no client certificate is presented by the API client, then that user's access to Salesforce is denied.

Users that do not have the "Enforce SSL/TLS Mutual Authentication" user permission enabled are able to access Salesforce either without a certificate or with any certificate that chains up to a root certificate in the list of Outbound Messaging SSL CA Certificates. 

Please refer to the below knowledge article and help articles which might help you further with the above requirement.

Here's a list of Outbound Messaging SSL CA Certificate Providers that Salesforce Servers are able to work with.

I hope it helps you.

Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. It will help to keep this community clean.

Thanks and Regards,
Khan Anas