As as an administrator of a Salesforce org, we want to notify you of an upcoming change to our HTTPS security certificates.
What is changing?
To maintain alignment with security best practices and the industry-wide shift to use more complex algorithms for HTTPS certificates, Salesforce will be replacing current HTTPS certificates, which are signed with a SHA-1 hash algorithm, to new certificates signed with a SHA-256 hash algorithm. HTTPS certificates are reflected in the browser’s URL bar to indicate a secure connection while accessing secure websites, including Salesforce.
What action do I need to take?
In order for users to continue to have access to Salesforce, you need to ensure your operating systems (OSs), browsers and middleware are capable of accepting HTTPS certificates with SHA-256 hash algorithms.
We are asking all customers to be prepared for this change by:
- April 1, 2015 for Sandboxes
- August 1, 2015 for all Instances
We will begin changing HTTPS certificates in a phased approach shortly after these dates. Exact dates will be published in March 2015.
Is there a quick way to test if I am prepared for this change?
Yes. We have established this test page to quickly check if your OSs, browsers and middleware will accept HTTPS certificates with SHA-256 hash algorithms. We have provided instructions for how to use this test page in this Knowledge Article.
What will happen if my OSs, browsers, and middleware are not capable of accepting these new HTTPS certificates?
If your OSs, browsers, and middleware cannot validate the new HTTPS certificates, your users will not be able to access Salesforce.
Why are you not changing the HTTPS certificates sooner?
The HTTPS certificates that Salesforce uses today are secure. However, it is a best practice to continuously increase the complexity of security encryption protocols and tools. We designed the timeline to give customers time to prepare for this change while maintaining a secure environment.
What if we use middleware that requires us to upload the certificate into the middleware (i.e. locally cached)? a
If your organization is running middleware that requires the certificates to be locally cached, you will need to update the cached certificates as a result of this change. To learn more about how this information will be communicated, please join the customer Success Community Collaboration group, Official: Certificate Changes.
Where can I get more information?
We have developed a Knowledge Article to provide additional information. Additionally, you can reach out to Customer Support by logging a case in the Help & Training portal.