Client Certificate Expiration

The salesforce.com client certificate proxy.salesforce.com is expiring on January 7, 2012.

The new certificate will be rolled out to production instances between approximately 3pm PST on January 4 and 10am PST on January 5.

You may need to download the new client certificate depending on how your organization uses it.

On January 7, 2012, the certificate used by proxy.salesforce.com for outbound SSL/TLS connections will expire. Customers impacted by this change include those using SAML authentication, Delegated Authentication over HTTPS, or Workflow Outbound Messaging callouts.

Customers who trust the root (C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority) and optionally check that the CN on the client cert is proxy.salesforce.com will have a seamless transition. Customers who are doing an exact match check on the client certificate in their endpoint will need to update their endpoint to trust both the old and new client certificates to have a seamless transition.

proxy.salesforce.com certificate's private key is used to sign SAML assertions, and the customer's SAML endpoint can use the public key from the proxy.salesforce.com certificate to verify that the SAML assertions are indeed from Salesforce.com. Customers using SAML will need to trust both the old and new certificates for a seamless transition. While multiple certificates per provider should be supported, some SAML Identity Providers may have issues with handling multiple certificates from a single Service Provider. For example, Active Directory Federation Services 2.0 fails to import entities with multiple certificates in the Entity Descriptor element (http://technet.microsoft.com/en-us/library/gg317734(WS.10).aspx).

What problems could I see that indicate an issue with this certificate?

Customers may experience the following symptoms indicating they need to update to and trust the new certificate:

SAML: Customers may see signature validation errors on SAML requests.

Delegated Authentication: System Administrators may observe login failures in the login history for their organization. End users may experience login failures with messages such as “Your company's authentication service is currently down. Please contact the administrator at your company for more information.”

Workflow Outbound Messages: Administrators may observe queued messages in Setup -> Monitoring -> Outbound Messages.

What do I do next?

If your organization needs to download the new certificate, you can file a case with Support, or follow these instructions:

1. Download the certificate from http://wiki.developerforce.com/images/3/34/New_proxy.salesforce.com_certificate_chain.zip
2. Unzip the certificate and import it into your application server, and configure your application server to request the client certificate. The application server then checks that the certificate used in the SSL/TLS handshake matches the one you downloaded.