As certificate validity is now reducing to 200 days in 2026, Salesforce administrators must find a practical way to manage certificate renewal. Ideally, Salesforce should support ACME protocol to automate renewal.
For those utilising Cloudflare CDN, it is possible to install Cloudflare Origin certificate with 15-year validity on Salesforce. Although Salesforce documentation mentions the certificate must be CA-signed, self-signed certificate including Cloudflare Origin certificate (which is not public CA-signed) is actually acceptable.
- In Cloudflare, change the encryption mode to “Full (strict)”.
- Enable True-Client-IP if on Enterprise plan.
- Add CNAME record (if not exist) that points to the Salesforce site, e.g.
custom-domain.com.xxx.live.siteforce.com. Ensure the CNAME record is in Proxied/orange-clouded mode. - In Salesforce, generate and download certificate signing request (CSR).
- In Cloudflare, create a new origin certificate, choose “Use my private key and CSR”, paste the CSR value, update hostname and Create it.
- Copy the PEM value then append Origin CA root certificate and save it with “.pem” extension. The file should have both leaf and root certificates.
- Upload the “.pem” file to Salesforce.
- Select the new certificate in Salesforce domain configuration.
In the last step, do not select the “Use a third-party service or CDN” option despite Cloudflare being a CDN service. That option will configure the Salesforce site to serve over HTTP, requiring “Flexible” encryption mode in Cloudflare which is not ideal.