MTLS in Salesforce

abudnar · January 22, 2021, 2:03pm

I have been trying to get a free SSL certificate to try out the MTLS feature of salesforce. Since I am still checking the feasibility of the feature, I felt it wouldn't be a good idea to buy a new certificate by paying the CA(trusted CAs on their list). I know I would be able to generate a certificate using LetsEncrypt by providing a public server URL link which I could use for my testing purposes as LetsEncrypt is in their trusted CA list. However, I do not have any public facing URL that I could use to generate the certs.

How shall I get the certificates in this case?

rg305 · January 23, 2021, 5:07pm

Hi and welcome to the LE community forum

If you can add entries into the DNS zone, you can get a cert via DNS authentication from any IP on the Internet (without a need for a web server).

If this is a true TEST, you can use any domain you have access to - even a free DDNS domain.
[So long as you can update the DNS zone with TXT record(s)]

abudnar · January 28, 2021, 1:32pm

@rg305 Yes, it's just for testing purposes. Could you please recommend one such DDNS provider?

rg305 · February 16, 2021, 1:43pm

Check these out:
10 Best Dynamic DNS Providers for 2021 (Paid & Free) (comparitech.com)

abudnar · February 16, 2021, 1:57pm

@rg305 your suggestions really helped me. I went ahead with https://freedns.afraid.org/ as it allowed me to add TXT entries. Any idea how can I use Let's Encrypt(chatbot) to renew certificates uploaded within salesforce?

rg305 · February 16, 2021, 2:01pm

@abudnar I don't know much about SalesForce - I do know plenty about LE.
If you can the how to install a cert into your SalesForce program, it should work with an LE cert.
We can help you get the LE cert and try to ensure it can automatically renew.

abudnar · February 18, 2021, 11:28am

@rg305 I want to highlight the fact that I used LE certs as client certs in this case for authenticating clients who are trying to access Salesforce APIs. These certs will have to be uploaded to Salesforce beforehand and whenever an API request hits Salesforce with the client cert, it tries to match it with the cert that's uploaded to authenticate the client.

Do you think this scenario is something that could be automated?

rg305 · February 18, 2021, 1:16pm

I suppose that just about anything can be automated; but there are varying degrees of difficulty and required effort and available tools/knowledge that may sway the decision and outcome.

I know almost nothing about what exactly you are trying to do.
But from the little I can see, it sounds like the prize may not be worth the effort.
Presuming that you would have to redo all such certs before they expire [every 90 days].
If that is NOT the case, and they can continue using a cert even after it has expired, then you would really only need to do it once; and you may not even need a globally CA-signed cert for this authentication. If the cert is only being used as a key, then that key may work until it is removed from the SalesForce API system.
But, again. I know very little about all this and I'm just speculating/guessing here.

So, if I had to do this, I would start by getting clarity from SalesForce on all the cert requirements.

tialaramex · February 18, 2021, 7:51pm

So far as I can tell although Salesforce will trust some public CAs (the whole purpose of which is to verify that you control some DNS name) they don't allow you to specify that an account just needs to present proof of its DNS name. Instead Salesforce expects you to give them a copy of each certificate to be trusted before it can be used, and their process for doing this seems to be relatively manual.

So I agree with @rg305 that this juice probably isn't worth the squeeze for using Let's Encrypt. If you want MTLS (which can be an excellent security feature and reduce other headaches) for Salesforce clients I'd look at their Self-signed certificate option, which should be much less hassle and the same practical result.

If Salesforce are reading this (or you get to throw suggestions at them): How about a config option "I trust anybody who can prove they are DNS name: some.example.com" and then anybody on the Internet can use tools like Certbot to get certificates that prove their DNS name and authenticate very securely this way ?

schoen · February 27, 2021, 5:00am

@abudnar some people who tried afraid.org (also because of its API access) in the past didn't realize this part

https://freedns.afraid.org/faq/#14

which is that if you use the free tier, other people are allowed to create subdomains of your domain. Please make sure that is something you are OK with if you use the free tier of this service!