Category Archive: Development

Refresh expiring Salesforce X509 certificates

Avatar photo September 14th, 2017 by

Tired of receiving the “You have one or more certificates in your Salesforce org XYZ* that will expire soon…” notices? Or worse, when your CEO receives it and sends a panicked email to you at 3 in the morning?

You can solve the countless email bombardment, for you and your users, by creating a new certificate and transitioning all your connected Apps and API’s to use the new certificate. SSL certificates in Salesforce are used by Connected Apps using SAML, SOAP and REST APIs. This post will take you through the steps of creating new certificates with longer expiry dates to replace the expiring ones.

The process of creating and configuring a new certificate is fairly straightforward and can be done in 2 fairly quick steps:

The issue is that Salesforce, by default, will create self-signed certificates that are valid for only a year. This means that every year you have to create new certificates. The process (as described above), is relatively painless, but most of these Connected Apps are third-party integrations, which means there is a whole lot of coordination needed to migrate these applications to use the new certificate. The actual work is relatively easy and just involves importing the certificate by these third-party systems/vendors. The coordination to make it happen and then test all of these integrations is time consuming.

One way to mitigate is to not rely on Salesforce, and just generate these certificates with longer expiry dates.

Note: Most Certificate Authorities (CA) will only issue shorter term certificates because they want to be able to guard against private keys that get compromised. Since we are using a single self-signed certificate, we can change the key and certificate on our schedule.

Openssl is an excellent open source tool to do this. Here is a quick-and-dirty guide to generating a certificate for use with Salesforce:

Step 1: Generate a self signed certificate valid for 10 years

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 3650

Here the -days flag is setting the expiry date of this certificate for 10 years. You can set it to any number of days.

Step 2: Convert the certificate and key into pkcs12 file

openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name salesforce_cert

Note: Use a password when prompted, as you will need it later.

Step 3: Import the new certificate into a keystore file (the format Salesforce expects)

keytool -importkeystore   -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -alias  salesforce_cert

Step 4: Import the new certificate into Salesforce

Go to Setup->Certificate and Key Management->Import from Keystore

and then import the keystore file created in Step 3.

You now have a new certificate available that is valid for 10 years. Just modify any of your connect apps to use the new certificate. And send the public key (cert.pem from Step 1), to any of the external system, so that they can continue working with the new certificate.