Secure Sockets Layer (SSL) certificates, sometimes called digital certificates, are used to establish an encrypted connection between a browser or user’s computer and a server or website. The SSL connection protects sensitive data, such as credit card information, exchanged during each visit, which is called a session, from being intercepted from non-authorized parties.
In short: SSL keeps internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you see a padlock icon next to the URL in the address bar, that means SSL protects the website you are visiting.
Salesforce certificates and key pairs are used for signatures that verify a request is coming from your organization. They are used for authenticated SSL communications with an external web site, or when using your organization as an Identity Provider. You only need to generate a Salesforce certificate and key pair if you're working with an external website that wants verification that a request is coming from a Salesforce organization
Certification involved in Salesforce
Self-Signed Certificate-
Generate a certificate signed by Salesforce to show that communications purporting to come from your organization are really coming from there.
By default, All the self-signed certificates are only valid for 90 days, then you will need to renew them every 90 days.
A certificate authority-signed (CA-signed)-
A certificate authority-signed (CA-signed) certificate can be a more authoritative way to prove that your org’s data communications are genuine. You can generate this type of certificate and upload it to Salesforce.
API Client Certificate -
The API client certificate is used by workflow outbound messages, the AJAX proxy, and delegated authentication HTTPS callouts. For security reasons, the API client certificate should be known only to your org.
1 way SSL Vs 2-way SSL-
As SSL is used to ensure communication between two parties is secure and encrypted. There are two mode of SSL communications:
1 way SSL-
In one way SSL, only the client validates the server to ensure that it receives data from the intended server. For implementing one-way SSL, the server shares its public certificate with the clients.
Only client authenticates the server and server doesn't care who is the client
For example- Whenever we visit any SSL enabled website like https://www.google.com from your browser. Here, we are the client and Google is the server. In this case, google doesn't matter who the client is, however, the client authenticates that the data is coming from google.
Two way SSL-
Two way SSL, also known as mutual SSL certificates, are SSL certificates where the server and the client authenticates each other for a more robust security.
In case of two-way SSL, both client and server authenticate each other to ensure that both parties involved in the communication are trusted. Both parties share their public certificates to each other and then verification/validation is performed based on that.
Whenever we need server to server (B2B) communication, you can use Two way SSL.
When using mutual authentication/2-way SSL, Salesforce.com can present a self-signed certificate to the target host (that must present a CA signed certificate to Salesforce), provided that this certificate has been configured in the target host (installed in the target server's keystore).
When sending outbound messages, delegated authentication requests or Apex callouts to secure/SSL endpoints, a Salesforce.com organization (acting as the client) will only trust the target host (that will act as the server) if this presents a certificate signed by a root Certification Authority (CA) included in the list shown in the below link. In other words, in this scenario self-signed certificates are not allowed to be used by the target host.
