How to Install a Wildcard SSL Certificate in Salesforce using a Manually Generated CSR
Step-by-Step Process
🔹 1. Generate a Certificate Signing Request (CSR)
You can do this using OpenSSL or another tool.
openssl req -newkey rsa:2048 -nodes -keyout olympus-grid.ai.wildcard.privatekey -out olympus-grid.ai.wildcard.csrCommon Name (CN):
*.yourdomain.com(e.g.,*.olympus-grid.ai)Submit this CSR to your SSL provider (e.g., GoDaddy)
Optionally, purchase and setup a wildecard certificate request directly from your DNS provider
🔹 2. Receive Certificate Files from Issuer
Typically you’ll get:
yourdomain.crt– your SSL certificateyourdomain.pem– often a fullchain comboyourdomain.bundle.crt– intermediate/CA bundleYou already have your private key from the CSR step
In our example:
olympus-grid.ai.wildcard.crtgd_bundle-g2.crtolympus-grid.ai.wildcard.privatekey
🔹 3. Create a .p12 (PKCS#12) Bundle
Must use a simple alias (no hyphens) — Salesforce rejects hyphens in alias names.
openssl pkcs12 -export \
-in olympus-grid.ai.wildcard.crt \
-inkey olympus-grid.ai.wildcard.privatekey \
-certfile gd_bundle-g2.crt \
-out olympus-grid-ai.p12 \
-name olympusgridaiYou'll be prompted to set a password → remember it
🔹 4. Convert .p12 to .jks (Java Keystore)
keytool -importkeystore \
-srckeystore olympus-grid-ai.p12 \
-srcstoretype PKCS12 \
-destkeystore olympusgridai.jks \
-deststoretype JKSUse the same password or a new one — either is fine
This produces
olympusgridai.jks
🔹 5. Import into Salesforce
Navigate to: Setup → Certificate and Key Management
Click Import from Keystore
Upload
olympusgridai.jksEnter the keystore password
Click Save
You’re done - You can now host unlimited sub-domains from a single TLD, hosted from Olympus-Grid.
Final Notes
Alias must not contain special characters (Salesforce limitation)
This works for Salesforce Sites, Communities, My Domain, and Named Credentials (need confirmation)
Rotate your certificates before expiration (schedule a reminder)
Last updated