The digital master key to your Salesforce connections is changing. Salesforce is migrating to the modern DigiCert Global Root G2 to meet the highest security standards. For most users, this is invisible, but for organizations running API integrations, on-premise servers, or custom apps, it’s a critical compliance deadline. We’ve broken down exactly what a root certificate is, whether your org is at risk, and the three steps you must take to stay connected.
What is a root certificate?
Root certificates are the essential elements of digital security, acting as the “master keys” that establish trust across the internet. They allow for the validation of websites, software, and secure connections. For successful integration and authentication with Salesforce, your servers must trust the specific root certificates that Salesforce utilizes.
To comply with contemporary security and engineering protocols, Salesforce is currently transitioning from its older set of root certificates to the DigiCert Global Root G2, which impacts many of its services.
Is your org at risk?
This change only impacts Inbound Connections (systems talking to Salesforce). You need to take action if you use:
- API Integrations: Middleware (MuleSoft, Boomi, Informatica) or custom code that pushes/pulls Salesforce data.
- On-Premise Servers: Internal databases or ERPs that connect to Salesforce via SSL/TLS.
- Custom Mobile Apps: Any non-standard apps that authenticate with your Salesforce instance.
If you miss the February 5th deadline your external systems could fail to “handshake” with Salesforce. API calls will fail, data syncs will stop, and users may see “Connection Not Secure” errors.
3 Steps to Ensure Your Org Stays Connected
1. Audit Your Trust Stores
Your IT Infrastructure team must ensure the DigiCert Global Root G2 certificate is installed in the “Trust Store” of every server that connects to Salesforce. This includes Java Keystores (JKS), Windows Certificate Stores, and Linux/Unix trust stores.
2. Adopt the “Mozilla Rootset”
Salesforce recommends that instead of manually adding one certificate at a time, your IT team should trust the Mozilla Certificate Rootset. This is a pre-verified bundle of global authorities. By trusting the bundle, you protect your integrations from future certificate rotations automatically.
3. Check for “Certificate Pinning”
Ask your developers if they have “pinned” (hardcoded) specific certificates in their code. This is sometimes done to increase the security of a connection but it is a common cause of service outages during rotations. They should move toward trusting the Root CA instead of a specific leaf certificate.
TL:DR
Salesforce is implementing a critical security update by transitioning to the modern DigiCert Global Root G2 certificate. This change, with a strict deadline of February 5th, primarily impacts organizations with inbound connections (API integrations, on-premise servers, and custom apps) talking to Salesforce. To prevent service outages and failed connections, IT teams must perform three key steps: audit all trust stores to ensure the DigiCert Global Root G2 is installed, adopt the Mozilla Certificate Rootset for future-proofing, and ask developers to check for and remove Certificate Pinning (hardcoded certificates) in their code.
