As the first organization to integrate Salesforce Government Cloud for a federal agency, we wanted to give our readers a crash course in best practice for Pay.gov certificate imports. When completing this practice, Pay.gov or Treasury will first provide you with two certificates: one for use with their QA environment and one for their production environment.
Below, our Windows-based instructions detail how to import these certificates into Salesforce. For other operating systems, adjust accordingly.
Step 1: Acquire the Pay.gov Certificates
- Follow the instructions provided from Pay.gov to put the certificates in Internet Explorer or Firefox.
- Create a directory on your machine such “C:\PayGovCerts”.
- Export/Backup the certificates from Internet Explorer or Firefox to the directory you created. During the export, make sure the password is between 6 and 8 characters to satisfy Salesforce. These instructions assume the same password is used for both the QA and production certificates. For file names, we named the QA certificate “Pay_Gov_QA_Cert.p12” and the production certificate “Pay_Gov_Prod_Cert.p12”.
Step 2: Prepare for Certificate Changes
- Install or make sure you have Java on your machine.
- Open a command prompt as administrator.
- In the command prompt, change the current directory to the one you created using the following command: cd c:\PayGovCerts
- Add the Java\bin directory to your path.
- This will be something similar to: SET PATH=%PATH%;C:\Program Files\Java\jdk1.8.0_121\bin
Step 3: Make Certificate Modifications
Salesforce will likely not accept the alias names of the certificates, so we must rename them. For all password prompts in the instructions below, use the same password that was used when exporting the certificate. Use the Command Prompt window you opened as an Administrator for these instructions.
Note the Alias name of the certificate after running these commands.
- For the QA certificate run:
keytool -v -list -keystore Pay_Gov_QA_Cert.p12 - For the Production certificate run:
keytool -v -list -keystore Pay_Gov_Prod_Cert.p12
For this example, the alias name of the QA certificate is “QA certificate’s u.s. government id” and the alias name of the production certificate is “Prod certificate’s u.s. government id.”
Change the certificate alias name. Adjust the alias name in the following commands to match your certificates.
- Change the alias of the QA certificate to “PayGovQA” by running:
keytool -changealias -keystore Pay_Gov_QA_Cert.p12 -alias “QA certificate’s u.s. government id” -destalias PayGovQA - Change the alias of the production certificate to “PayGovProd” by running: keytool -changealias -keystore Pay_Gov_Prod_Cert.p12 -alias “Prod certificate’s u.s. government id” -destalias PayGovProd
Include both certificates in a new Java Keystore that we will call “PayGovKeyStore.jks”.
This new keystore will be compatible with Salesforce. For any password prompts in the following commands, enter the same password(s) you previously used.
- For the QA certificate run:
keytool -importkeystore -destkeystore PayGovKeyStore.jks -srckeystore Pay_Gov_QA_Cert.p12 -srcstoretype pkcs12 - For the Production certificate run:
keytool -importkeystore -destkeystore PayGovKeyStore.jks -srckeystore Pay_Gov_Prod_Cert.p12 -srcstoretype pkcs12
Step 4: Import the Java Keystore to Salesforce
In Salesforce, perform the following:
- Go to the Certificate and Key Management page.
- Click the “Import from Keystore” button.
- Select the keystore named “PayGovKeyStore.jks” that you created in Step 3.
- Enter the same password you used to create the keystore.
- Click Save.
- For the newly created certificate, edit it and change its label to something more readable, such as “Pay.gov QA Certificate.”
You can now create a Named Credential and reference it in your endpoint for the callout to Pay.gov.
About the Author
Cary Freeman is a force.com developer with 17 years of Java development and two years of Salesforce development. He holds 12 certifications, including a Salesforce Certified Application Architect, Salesforce Certified System Architect, and Project Management Professional (PMP).