function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
SFDC coderSFDC coder 

Confused with certificates for integration

Hello Experts,

We have a integration between salesforce and SAP via SAP PI. The external system is using HTTPS protocol and has asked if any other set up is required to have a secure connection while triggering outbound messages from SAP to salesforce.

This is when certificates come to my mind. We have both inbound as well as outbound integration between the systems.
I would want to know if:
1.While sending outbound messages from salesforce the certificate generated and provided by the external system has to be used in SOAP callouts. Correct?
2.When the external system sends outbound messages from SAP to salesforce, we need to generate and provide them CA signed certificate,which they will sign and send back to us. We then upload it in salesforce and the external system uses it while sending outbound messages from SAP to salesforce? Is my assumption correct?
3. Also i wish to know the difference between self signed and CA signed certificates and why should we not use self signed instead of CA signed?

Any help is appreciated

SFDC coder
Martijn SchwarzerMartijn Schwarzer
Hi SFDC coder!

That sounds like a cool integration!

Regarding your question: I only have experience with option 1. So, I'll focus on that one.

In order to setup two way SSL you'll need to do the following:

1: Create Server-side SSL connection (this is in your case on the SAP side, so not for you).
2: In Salesforce, you go to "Certificate and Key Management" and generate a CA-signed certificate. You fill the form based on the information you get from the 3rd party admin (SAP side. Common Name and such are usually provided by them).
3: You download the Certificate Signing Request document (.csr file) and send it to the network specialist (at SAP side) to have it signed by a CA (Certificate Authority).
4: You should get a certificate back (.crt file), which you upload in Certificate and Key Management Section in Salesforce
5: You pass the client certificate with each callout to SAP

There's a great article that explains the process above in more detail:

Regarding your last question: Self-Signed Certificates are less secure than CA-signed certificates. Self-Signed certificates can be created by anyone, as opposed to CA-signed. those are signed by a Certificate Authority, and therefore more secure (and more expensive as well)

I hope this helps!

Best regards,
Martijn Schwärzer

SFDC coderSFDC coder
Hi Henk, Your answer clarified my first point thoroughly. Thankyou so much for your response. I am still awaiting for someone to confirm on the next 2 points as well. Moreover we have passed just self signed certificate generated in SFDC(sandbox) to SAP. Do you know if we need to generate a new one for production as well or they can use the same? Thanks and Regards,

Any answer how these certificate settings affect the second points? :/