Creating Certificates and Keys Locally Using OpenSSL for Salesforce Integration

Introduction

When setting up continuous integration and continuous deployment (CI/CD) processes with Salesforce, one crucial step is creating a self-signed certificate and private key. These are essential for creating a Connected App in Salesforce, which facilitates secure authentication.

This guide walks you through the process of generating certificates and keys locally using OpenSSL. Whether you're on Windows, macOS, or Linux, we'll cover the necessary steps to get you up and running.

Prerequisites

• OpenSSL installed on your machine
  • Windows users: You'll need to install OpenSSL manually. You can download it from the OpenSSL for Windows website
  • Linux and macOS users: OpenSSL is typically pre-installed

Step 1: Generate the Private Key and Certificate

Open your terminal or command prompt and navigate to the directory where you want to store your certificates.

1.1 Generate an Encrypted Private Key

Run the following command to create an encrypted private key named server.pass.key:

openssl genpkey -des3 -algorithm RSA -pass pass:SomePassword -out server.pass.key -pkeyopt rsa_keygen_bits:2048

• Replace SomePassword with a strong password of your choice.

1.2 Remove the Passphrase from the Private Key

To simplify the process, remove the passphrase:

openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key

• This generates an unencrypted private key named server.key.
• You can delete the server.pass.key file as it's no longer needed:

rm server.pass.key

1.3 Generate a Certificate Signing Request (CSR)

Create the CSR using your private key:

openssl req -new -key server.key -out server.csr

You'll be prompted to enter your organization's details:

• Country Name: Two-letter country code (e.g., US for United States)
• State or Province Name: Full name of your state or province
• Locality Name: Your city
• Organization Name: Your company's legal name
• Organizational Unit Name: Department or division
• Common Name: Fully qualified domain name (FQDN) of your server
• Email Address: Your contact email
• When asked for a challenge password, press Enter to leave it blank

1.4 Generate the Self-Signed Certificate

Create the certificate (server.crt) valid for 365 days:

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Step 2: Create a Connected App in Salesforce

With your certificate and key ready, the next step is to create a Connected App in Salesforce for authentication.

2.1 Log In to Salesforce

• Log in to your Salesforce org with administrative privileges

2.2 Navigate to App Manager

• Go to Setup (click the gear icon ⚙️ and select Setup)
• In the Quick Find box, type App Manager and select it

2.3 Create a New Connected App

• Click New Connected App in the top-right corner

2.4 Configure the Connected App

Fill out the required fields:

Basic Information:

• Connected App Name: My CI/CD Connected App (or any name you prefer)
• API Name: Auto-populated based on the app name
• Contact Email: your.email@example.com

API (Enable OAuth Settings):

• Enable OAuth Settings: Check this box
• Callback URL: http://localhost:1717/OauthRedirect (placeholder URL)
• Use Digital Signatures: Check this box
• Upload Certificate: Click Choose File and select your server.crt file

Selected OAuth Scopes:

• Move the following scopes to Selected OAuth Scopes:
  • Access and manage your data (api)
  • Perform requests on your behalf at any time (refresh_token, offline_access)
  • Provide access to your data via the Web (web)
• Require Secret for Web Server Flow: Ensure this is checked
• Save the Connected App

2.5 Configure Policies and Profiles

After saving, you'll need to set up permissions:

2.5.1 Set Permitted Users

• Click Manage next to your new Connected App
• Click Edit Policies
• Under OAuth Policies:
  • Permitted Users: Select "Admin approved users are pre-authorized"
• Save your changes

2.5.2 Assign Profiles

• Scroll down to the Profiles related list
• Click Manage Profiles
• Select the System Administrator profile or the profile associated with your user
• Save your selections

Step 3: Test the Setup Locally

Before integrating into your CI/CD pipeline, verify that the setup works on your local machine.

3.1 Run the Authentication Command

In your terminal, execute the following command, replacing the placeholders with your actual values:

sfdx force:auth:jwt:grant --clientid <Consumer_Key> --jwtkeyfile <Path_To_server.key> --username <Salesforce_Username> --instanceurl <Salesforce_Login_URL>

• <Consumer_Key>: Found in your Connected App under API (Enable OAuth Settings)
• <Path_To_server.key>: The path to the server.key file you generated
• <Salesforce_Username>: Your Salesforce username (e.g., user@example.com)
• <Salesforce_Login_URL>:
  • For production: https://login.salesforce.com
  • For sandbox: https://test.salesforce.com

Example:

sfdx force:auth:jwt:grant --clientid 3MVG9...Tl5A --jwtkeyfile ./server.key --username user@example.com --instanceurl https://login.salesforce.com

3.2 Verify Successful Authentication

If the setup is correct, you should see a success message:

Successfully authorized user@example.com with org ID 00DXXXXXXXXXXXXXXX

Conclusion

By following this guide, you've successfully created a self-signed certificate and private key using OpenSSL, set up a Connected App in Salesforce, and tested the authentication on your local machine. This setup is vital for secure, automated interactions with Salesforce in a CI/CD environment.