function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
yortchyortch 

Ability to import certificates for mutual authentication

I have a requirement to integrate with an external web service using APEX web service callouts and providing a certificate for mutual authentication. Based on this link this is supported:

http://wiki.developerforce.com/index.php/Making_Authenticated_Web_Service_Callouts_Using_Two-Way_SSL

 

The security group, however, would like to have a single certificate across multiple sandboxes. They will only support CA-signed certificates and not Self signed certificates. Based on the fact that you need to generate the certificate request from each sandbox I do not see a way to support this 'single' certificate requirement.

 

Further more the sample certificate that they support is as follows:

 

DC=com, DC=highmark, OU=external, OU=people, UID=salesforceuser

 

The generated certificate request contains the following attributes and I do not see a way to input additional attributes based on the form provided:

 

C=US, ST=ST, L=City, O=Company, OU=external, CN=salesforceuser

LegerdemainLegerdemain

I'm also intesterested in what others have done in this area.

chuckmortimorechuckmortimore

The only way you can currently have a single certificate that spans multiple orgs is to use the older version of SSL mutual auth.   You need to embed a PKCS12 file directly in your Apex code.   Using this, one cert can be used across the orgs, as long as they share or duplicate the code.

 

As far as the DN components for the cert subject, this is not configurable; that being said I haven't seen the format of subjects be an issue before for this type of use-case.   Are you sure it will really matter?  If so, could you elaborate on the restriction, as well as what software is being used on the server?

chuckmortimorechuckmortimore

By the way, for details on doing this, check out setClientCertificate on the HttpRequest object in the Apex docs.

yortchyortch

Thank you for the information. I could not find sample code or detailed information regarding the setClientCertificate method, other than what is in the API documentation:

http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_restful_http_httprequest.htm

 

My understanding is that I will need to take the contents of a PKCS12 certificate file and assign them into a string variable within my APEX code. I will then need to call the setClientCertificate method passing the certificate string variable as the first argument, and the certificate password as the second argument. Does this sound about right?

 

Also, the setClientCertifiacte method is currently marked as 'deprecated'. Do you know if and when this method will be removed from the API altogether?

yortchyortch

The reason why the DN components need to match is because on the server end, the certificate is mapped to a 'user ID' for authorization purposes. The format provided is what it is currently being used. I will confirm if they need to match 100% to the sample provided, but I believe there is some room to tweak them.

chuckmortimorechuckmortimore

Yes - the steps you outlined are correct..

 

I don't know on the depricated question, but I'm asking around.