[SalesForce] Constructing a SSL certificate chain for uploading to Certificate and Key Management

Background

I generated a CSR from Salesforce setup and have received back the PositiveSSL Certificate from sectigo.com.

But when I try and upload the certificate into Salesforce, I get this error:

Error: The certificate that you are uploading doesn't match the generated certificate signing request.

Included with the SSL certificate were these additional files:

Root CA Certificate – AddTrustExternalCARoot.crt
Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate – mycert.crt

I tried combining a couple of the certificates:

cat mycert.crt AddTrustExternalCARoot.crt > combined.pem

cat mycert.crt SectigoRSADomainValidationSecureServerCA.crt > combined.pem

and uploading the combined.pem but I got the same error.

Questions

Why won't Salesforce accept the SSL certificate?
What do I need to do to get Salesforce to accept the cert?

NOTE: I've raised a support ticket and it got immediately got closed because the org does not have developer support.

Best Answer

In a certificate chain, you have to include all certificates starting from the domain and up towards the root. This should work:

cat mycert.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > combined.pem

The position of the certs in the chain is based on Sectigo docs:

Domain Validation:

USERTrust RSA Certification Authority [ Root Certificate Cross Signed ]

Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]

Best Answer

Related Solutions

[SalesForce] Two Way Authentication and SSL Certitificates

[SalesForce] Salesforce intermediate certificate chain

Related Topic