Building A Custom SSL Certificate Store On the Salesforce Platform
Summary
Salesforce's native certificate store has limitations like a 50 certificates cap, sandbox copying risks, and lack of automated rotation. This article details building a custom SSL certificate store on the platform using Apex to overcome these challenges. It provides a secure, scalable, and automated approach for managing numerous certificates, tailored access, and better lifecycle management. Salesforce teams managing complex integrations or frequent certificate rotations can benefit from implementing this solution.
Takeaways
- Salesforce’s native certificate store limits usage to 50 certificates and copies production certs to sandboxes causing security risks.
- Custom certificate store using Apex enables managing more certificates with automated lifecycle and granular access control.
- Store secrets securely with protected custom settings in a managed package to prevent unauthorized queries or exports.
- Implement encryption keys uniquely per certificate and manage via a custom Apex REST API for external usage.
- Thorough code review and strict deletion processes are critical to maintain security and prevent exposure.
Let’s fix some “short comings” of the Salesforce Certificate Java Key Store for Named Credentials and Single Sign On (SAML) After many years working with security teams in highly regulated enterprises, I have found myself repeatedly talking about the native Salesforce Certificate Storage Solution: A Java Key Store. A Java KeyStore (JKS) is a secure repository used to store certificates with their private keys that can be used from Java applications. Given that Salesforce is built on Java, this solution makes total sense, but it comes with a few draw backs. !! Security is a sensitive and important subject, always discuss anything with your company’s security team or a certified implementation partner. Today’s topic especially is all about creating awareness and sharing some solutions rather than preaching best practices !! Now I can hear you think “ Is the Salesforce Certificate Key Store not Secure?!! ” So let’s get that myth out of the way first.