[SalesForce] Constructing a SSL certificate chain for uploading to Certificate and Key Management


I generated a CSR from Salesforce setup and have received back the PositiveSSL Certificate from sectigo.com.

But when I try and upload the certificate into Salesforce, I get this error:

Error: The certificate that you are uploading doesn't match the generated certificate signing request.

Included with the SSL certificate were these additional files:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
  • Intermediate CA Certificate – SectigoRSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate – mycert.crt

I tried combining a couple of the certificates:

cat mycert.crt AddTrustExternalCARoot.crt > combined.pem


cat mycert.crt SectigoRSADomainValidationSecureServerCA.crt > combined.pem

and uploading the combined.pem but I got the same error.


  1. Why won't Salesforce accept the SSL certificate?
  2. What do I need to do to get Salesforce to accept the cert?

NOTE: I've raised a support ticket and it got immediately got closed because the org does not have developer support.

Best Answer

In a certificate chain, you have to include all certificates starting from the domain and up towards the root. This should work:

cat mycert.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > combined.pem

The position of the certs in the chain is based on Sectigo docs:

Domain Validation:

  • USERTrust RSA Certification Authority [ Root Certificate Cross Signed ]
  • Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]
Related Topic