You need to sign in to do that
Don't have an account?
ckemp
Salesforce Client SSL certificate is expired
Hello,
I am trying to get two-way SSL authentication working between Salesforce and my Tomcat server so I can send encrypted web service calls from Salesforce. One way works just fine. However, when I try using the Client Certificate that I downloaded from Setup > App Setup > Develop > API, it gets rejected with a "bad_certificate" IO Exception because Salesforce's certificate expired in 2004 (!!). I'm not the only one having this problem (see http://community.salesforce.com/sforce/board/message?board.id=general_development&view=by_date_ascending&message.id=19703) Does anyone know where the new certificate is?
I am trying to get two-way SSL authentication working between Salesforce and my Tomcat server so I can send encrypted web service calls from Salesforce. One way works just fine. However, when I try using the Client Certificate that I downloaded from Setup > App Setup > Develop > API, it gets rejected with a "bad_certificate" IO Exception because Salesforce's certificate expired in 2004 (!!). I'm not the only one having this problem (see http://community.salesforce.com/sforce/board/message?board.id=general_development&view=by_date_ascending&message.id=19703) Does anyone know where the new certificate is?
After installing the new Intermediate cert via the following links, it is now saying that the Issuer of the Salesforce sfdc-client.cert is not recognized. I think this is because the Issuer of the Salesforce certificate is the expired name that the directions below tell you to delete. If the issuer is no longer recognized, doesn't Salesforce have to update their certificate?
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=ad4
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO8227
I am trying to do the same thing without any success. Where you able to figure out how
to get tomcat to verify SF's client certificate? If so how? Did you install the intermediate
verisign certificate in the trusted keystore? Or in the keystore? Did you have to install
the SF certificate? (I don't see why though because the intermediate verisign certificate
should be enough to verrfy the trust chain)
Ciao
Stefano
not fully grasping your response. I am pretty new at this so please bear
with me.
I create a self signed cert with following command
then I self certify it:
Which key do I need to create a CSR for? My already self signed one?
In my early attempts I tried importing the intermediate certificate you
sent me a link for, in the trust keystore but it did not work. Which
steps am I missing?
Ciao
Stefano
Just to see a positive test case, I went and bought myself a personal certificate from Verisign. The certificate itself came with two intermediate certificates. For my tests:
In this experiment I did not have to install the intermediate certificates into the trustore that tomcat is using. So I start to question whether or not installing the verisign intermediate certificate anywhere on our tomcat server makes any sence. I believe that Saleforce SSL client should use a properly configured keystore with all the proper non expired intermediate certificates so that our tomcat instances can verify the salesforce client certificate trust chain. The onus of the intermediate certificates is on the client not on the server.
Of course these are simple observations that I derived from my test, and I whole heartedly admit that I am a complete clueless newbie on these matters. So please Salesforce enlighten me on how to use your client certificate on tomcat, 'cuase I am on day 4 of this head wrecking crusade and I still get that **bleep** bad_certificate exception!
On a side not when I downloaded the certificate, the rfc encoded text came all in one line. I had to edit it
Ciao
Stefano
On the apex manual they tell you how to use your own certificate to embed it in the code that calls your web services. So the client certificate that SF supplies is simply useless.
Ciao
Stefano
Hi, I might be bumping a quite old thread, but thought someone of you might be able to help me.
I am working on integrating salesforce with an external service. They have provided me with a signed certificate, which i need to send along with the request. I am not sure how should I do that? Where in Salesforce can I store an already signed certificate?
Thanks in advance for any help.
Yogesh