SalesforceGuides

Salesforce JWT Authentication Tutorial: Using OpenSSL for Secure CI/CD Pipeline Setup

M
Matt
3 min read
Learn how to set up secure JWT authentication for Salesforce using OpenSSL. Perfect for CI/CD pipelines. Follow our step-by-step guide—start now!

This guide explains how to set up JWT authentication for Salesforce using OpenSSL, which is particularly useful for CI/CD pipelines to automate deployments and other tasks. For official documentation, refer to the Salesforce Developer Guide on creating a private key and self-signed digital certificate.

Create Certificates and Keys Locally Using OpenSSL

Generate a self-signed certificate and private key for use in a Salesforce Connected App. The private key must not be protected by a passphrase for automated processes.

If using Windows, install OpenSSL first. On Linux or macOS, it is typically available.

Run these commands in your terminal:

  • Generate a private key with a temporary passphrase:
    openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
  • Remove the passphrase from the key:
    openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
    Delete server.pass.key after this step for security.
  • Generate a certificate signing request (CSR). Provide organisation details when prompted (press Enter if no challenge password is needed):
    openssl req -new -key server.key -out server.csr
  • Create the self-signed certificate, valid for 365 days:
    openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

These commands produce server.key (private key) and server.crt (certificate). Keep the private key secure and never share it.

Create a Connected App in Salesforce

A Connected App enables JWT authentication.

  1. Log in to your Salesforce org.
  2. Go to Setup > Apps > App Manager.
  3. Click New Connected App.
  4. Enter details:
    • Connected App Name: e.g., CI/CD JWT App
    • API Name: Auto-populates
    • Contact Email: A valid email address
  6. Enable OAuth Settings:
    • Callback URL: http://localhost:1717/OauthRedirect (dummy value for JWT flow)
    • Use digital signatures: Check and upload server.crt
    • Selected OAuth Scopes: Add "Access your basic information (id, profile, email, address, phone)", "Access and manage your data (api)", "Provide access to your data via the Web (web)", and "Perform requests at any time (refresh_token, offline_access)"
  8. Save the app. It may take a few minutes to activate.
  9. In the app details, note the Consumer Key (Client ID).
  10. Manage the app: Set Permitted Users to "Admin approved users are pre-authorised".
  11. Assign profiles: Add the relevant profile (e.g., System Administrator) under Profiles.

Test the Setup Locally

Verify the configuration using the Salesforce CLI (use sf commands; sfdx is supported but transitioning to sf).

Install the Salesforce CLI if not already done.

Run:

sf auth jwt grant --client-id <Consumer Key> --jwt-key-file <path/to/server.key> --username <Salesforce username> --instance-url <https://login.salesforce.com or custom domain>

If successful, it authorises the org. Use this in CI/CD by storing the key securely (e.g., as an encrypted secret) and running the command in your pipeline.

Note: For production, consider a CA-signed certificate instead of self-signed for enhanced security. Regularly rotate keys and monitor access.

© 2025 EKWIS

About the Author

M
Matt