Generate a New Certificate with OpenSSL for Use with Salesforce Connected App

OpenSSL is a free set of tools that lets you, among other things, create a TLS certificate. You can find out more about this project by visiting their website at I wrote this post as part of my series on “Creating API Endpoints in Salesforce”. This is Part 2 in that series. If you’re interested in that sort of thing, you can checkout Part 1 here: Create Your Own REST API Endpoints in Salesforce Using Apex REST. If you’re simply here to figure out how to generate a TLS (previous known as SSL) certificate using OpenSSL, carry on.

First check to see if you have OpenSSL already installed. If you’re on a Mac, open Terminal, type openssland press return. If you get an OpenSSL prompt, you have the tool. If not, you can brew install openssl. If you’re on Windows, you may have OpenSSL installed but it may not be in your PATH variable. You can look in your Program Files directory or in your Start menu to see if you see any references to OpenSSL.

In my experience, the simplest method to install the tool on Windows is to find a precompiled binary. Otherwise, you’ll have to download the source and compile it yourself. You can find a listing of sources hosting these binaries on the wiki page, here: Binaries — OpenSSL Wiki. Download and install the version matching your computer architecture. Make a note to where it’s being installed and from there, you’ll get a shortcut to open a command prompt window with the tool in the Path.

Here are the specific openssl commands that I issued, to generate the certificate that I needed to upload to Salesforce, for utilizing the Oauth 2.0 JWT Bearer Flow for Server-to-Server Integration that I needed for my specific use-case:

openssl genrsa -des3 -passout pass:secret -out server.pass.key 2048

The line above instructs the utility to generate a private key using the RSA algorithm, 3DES cipher, use a passphrase (this is optional and in this example, that passphrase is ‘secret’) and a 2048-bit key; save the private key to a file named server.pass.key.

openssl rsa -passin pass:secret -in server.pass.key -out server.key

The line above instructs the utility to generate a matching public key for the private key created with the previous command. Here, the same passphrase that I used to generate the private key is passed in using the “-passin” switch; the private key is passed in using the “-in” switch; the public key is then saved to a file named server.key.

openssl req -new -key server.key -out server.csr

If you stumbled upon this post, trying to create a TLS certificate to secure your webserver, the command above shows you how to generate a Certificate Signing Request (CSR) which you can then give to a Certificate Authority (CA) to have them create a certificate for you.

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

For our purposes here, we don’t need a certificate that’s signed by a CA. Instead, we’ll create a self-signed certificate using that command, above. Here, we’re requesting a certificate in the x509 structure, valid for 365 days, inputting the CSR and the public key that we created in previous steps. The certificate will be saved to a file named server.crt.

Congratulations! You now have a self-signed certificate that you can now upload to your Connected App in Salesforce, which will serve as the gateway to the underlying APIs that we created using Apex. More on that in the next installment.

Part 3: Create a Connected App in Salesforce as Your Apex REST API Gateway

Software Engineer, working in the IT scene for the past 18+ years. Husband. Father to two lively, energetic boys. We live in Nashville, TN