Salesforce Mutual Authentication Setup

In this article

Mutual Authentication Setup

To enable mutual authentication in Salesforce, follow these steps:

  1. Log into the Salesforce portal.

  2. Navigate to Setup > Security Controls > Certificate and Key Management.

  3. By default, you cannot view the Mutual Authentication Certificate section. In such a case, you need to raise a request to the Salesforce Support team to enable this section.

  4. Once this section is enabled, you need a CA signed certificate to upload in this section. See “Create CA signed certificate” for more information.

  5. Once you have the CA signed certificate, click Upload Mutual Authentication Certificate.

  6. Provide a label and name for your certificate.

  7. Click Choose File to locate the certificate.

  8. Click Save to save the upload.

  9. Create a custom profile to enable the “Enforce SSL/TLS Mutual Authentication” user permission for an API Only user.

This API Only user configures the API client to connect on port 8443 to present the signed client certificate. If you are using a certificate chain, the client certificate must include any intermediate certificates in the chain when contacting port 8443.

Creating CA Signed Certificate

To create a CA Signed Certificate:

  1. Log into the Salesforce portal.

  2. Navigate to Setup.

  3. Enter Certificate and Key Management in the Quick Find box, and then select Certificate and Key Management.

  4. Select Create CA-Signed Certificate.

  5. Enter a descriptive label for the Salesforce certificate. This name is used primarily by administrators when viewing certificates.

  6. Enter a unique name. You can accept the name that’s populated based on the certificate label you enter.
    Note: Use a unique name when referring to the certificate using the Lightning Platform web services API or Apex.

    • The name can contain only underscores and alphanumeric characters, and must be a unique name in your org.

    • It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.

  7. Select a key size for your certificate and keys.
    For securing data in transit through TLS, we recommend you to use the default 2048-bit key size. 

  8. Enter the following information. These fields are combined to generate a unique certificate.

    1. Common Name: The fully qualified domain name of the company requesting the signed certificate, generally of the form .

    2. Email Address: The email address associated with this certificate.

    3. Company: The legal name of your company or your legal name.

    4. Department: The branch of your company using the certificate, such as marketing or accounting.

    5. City: The city where the company resides.

    6. State: The state where the company resides.

    7. Country Code: A two-letter code indicating the country where the company resides. For example, the value for United States is US.

  9. Click Save to save the Salesforce certificate.
    The certificate and corresponding keys are automatically generated.

  10. Find your new certificate from the certificates list, then click Download Certificate Signing Request.
    Note: Downloaded certificate signing requests have .CSR extensions.

  11. Send the certificate request to the certificate authority of your choice. For example, GoDaddy.

  12. After the certificate authority returns the signed certificate, go back to Certificate and Key Management, click the name of the certificate, then click Upload Signed Certificate.
    The CA-signed certificate must match the certificate created in Salesforce. If you upload a different CA-signed certificate, the upload fails.

  13. Click Save to complete the upload process.

Once you run the curl command, if you encounter Client certificate error:unable to get local issuer certificate error, this means that the certificate chain is incomplete. To check the intermediate certificate, first inspect the issuer of the certificate shared by CA using the following command:
openssl x509 -text -noout -in 887539a9e02f4af2.pem

Note down the Issuer: CN name. The CN is the Intermediate Certificate. Go to the Issuer: OU site mentioned in the above output to get the required intermediate certificate. For example,

  • You can verify the accuracy of the chosen intermediate certificate using the following command:

openssl verify -CAfile gdig2.crt.pem 887539a9e02f4af2.pem

  • You can attach the pem file with the certificate pem using the below command.

cat 887539a9e02f4af2.pem gdig2.crt.pem > gdIntermedite.pem


The certificate chain order must meet the following requirements:

  • Start with the server or client certificate and then add its signing certificate.

  • If more than one intermediate certificate exists between the server or client certificate and the root, add each certificate as the one that signed the previous certificate.

  • The root certificate is optional, and generally should not be included.

Additional Helpful Commands







To update the alias of a certificate in the KeyStore file.


keytool -changealias  -alias sourceAlias -destalias ma_2_cert_oct_6_2021 -keypass Snaplogic123 -keystore snaplogic_SF.jks -storepass Snaplogic123 -storetype JKS -v


Changes the alias name from "sourceAlias" to "ma_2_cert_oct_6_2021" in snaplogic_SF.jks file.

To copy required certificate from a group of certificates using alias from a KeyStore file.

keytool -importkeystore -srckeystore 00D0m0000001mkL.jks -destkeystore keystore.p12 -srcalias "ma_2_cert_sep_22_2021" -srcstoretype jks -deststoretype pkcs12

Extracts "ma_2_cert_sep_22_2021" Alias from  00D0m0000001mkL.jks key store to KeyStore.p12

To delete a certificate from a Keystore using the alias.

keytool -delete -alias selfsignedcert_11dec2020_191506 -keystore 00D0m0000001mkL.jks -storepass Snaplogic@123

Deletes "selfsignedcert_11dec2020_191506" certificate from 00D0m0000001mkL.jks  keystore.

See Also