Managing thousands of customers while maintaining personalized service—this is the challenge keeping business leaders awake at night. Unlike purely transactional businesses, customer-centric organizations build long-term relationships that drive repeat business, referrals, and sustainable growth.

Salesforce has announced three significant certificate and security transitions rolling out between February and June 2026. For financial services organizations running complex integration ecosystems—connecting Salesforce to custodians, portfolio management systems, compliance platforms, and client portals—these changes require immediate attention.

Miss the deadlines, and you risk integration failures, API disconnections, and potential service interruptions at the worst possible times.

Here's what's changing, why it matters for your firm, and what you need to do now.

What Are These Three Certificate Changes?

1. Root Certificate Transition — February 5, 2026

What's happening: Salesforce is transitioning to certificates chained from the DigiCert Global Root G2. Any certificate that Salesforce hosts for clients to initiate inbound TLS connections will begin renewing to this new root after February 5, 2026.

What this means: Your systems that connect to Salesforce—whether through API integrations, middleware platforms, or browser-based access—need to trust this new root certificate. If your trust stores don't include DigiCert Global Root G2, connections will fail.

The nuance: Not all certificates will renew on February 5. Current certificates follow their normal rotation schedule. However, once they do rotate, they'll use the new root—meaning the window for potential disruption extends well beyond the initial date.

MuleSoft users: If you're running MuleSoft integrations, your trust stores require specific attention. Self-signed certificates and CA-signed certificates you've uploaded to your org are not affected.

2. Certificate Lifespan Reductions — Starting March 15, 2026

What's happening: Salesforce is implementing phased reductions in maximum TLS server certificate lifespans:

• March 15, 2026: Maximum lifespan drops to 200 days
• By 2029: Maximum lifespan reduces to just 47 days

What this means: Certificates will need to be renewed and rotated far more frequently. What used to be an annual or bi-annual task becomes a quarterly—and eventually near-monthly—operational requirement.

Why this matters for financial services: Wealth management firms typically run dozens of integrations: custodial data feeds, portfolio accounting systems, financial planning tools, compliance monitoring, client reporting platforms. Each integration point potentially requires certificate management. More frequent rotations mean more opportunities for something to break if you don't have robust automation in place.

3. Dual-Use Certificate Deprecation — June 15, 2026

What's happening: Chrome will enforce a strict ban on "dual-use" certificates—those used for both server authentication and client authentication. This fundamentally changes how most organizations implement mutual TLS (mTLS).

What this means: If you're using mTLS for secure API connections (common in financial services for compliance and security requirements), your client certificates can no longer originate from the same public certificate authorities used for website trust. You'll need separate certificates from CAs that issue Client Auth EKU-only certificates.

The business impact: mTLS is often required for connections to custodians, broker-dealers, and other financial institutions. This change affects the fundamental architecture of your most security-sensitive integrations.

Why Financial Services Firms Face Higher Stakes

These aren't routine IT maintenance items. For wealth management and financial advisory firms, the implications run deeper:

Integration Complexity Multiplies Risk

The average RIA or wealth management firm connects Salesforce to 8-15 external systems. Each connection point is a potential failure point when certificates change. A missed update to your custodial data feed means advisors can't see current client positions. A failed compliance integration could mean missed regulatory reporting deadlines.

Compliance Requirements Demand Continuity

Financial services firms operate under strict regulatory frameworks—SEC, FINRA, state regulators. Service interruptions aren't just inconvenient; they can trigger compliance issues. Can you demonstrate continuous access to required records? Can you prove your systems maintained required security controls without interruption?

Client Trust Depends on Reliability

When a client logs into their portal and gets a certificate error, or when their advisor can't pull up current account information during a meeting, confidence erodes. In a business built on trust, technical failures have outsized reputational impact.

What Should You Do Right Now?

Immediate Actions (Before February 5, 2026)

1. Audit your integration inventory

Document every system that connects to Salesforce:

• Which systems initiate connections to Salesforce?
• Which use API integrations vs. browser-based access?
• Which require mTLS or other certificate-based authentication?

2. Update trust stores with DigiCert Global Root G2

Work with your IT team or managed service provider to add the new root certificate to all systems that connect to Salesforce. DigiCert provides the root certificates directly on their website.

3. Test in sandbox environments

Before February 5, update trust stores in your sandbox and test all critical integrations. Don't wait to discover problems in production.

4. Review MuleSoft configurations

If you're using MuleSoft for integration, verify your trust store configurations align with the updated requirements.

Medium-Term Planning (Before March 15, 2026)

5. Assess certificate management maturity

With lifespans dropping to 200 days (and eventually 47 days), manual certificate management becomes unsustainable. Evaluate:

• Do you have automated certificate renewal processes?
• Do you have monitoring to alert before certificates expire?
• Do you have documented runbooks for certificate rotation?

6. Consider certificate management automation

Tools and platforms exist to automate certificate lifecycle management. The investment now prevents recurring fire drills later.

Strategic Preparation (Before June 15, 2026)

7. Inventory mTLS implementations

Identify all integrations using mutual TLS. These will require architectural changes to separate server and client authentication certificates.

8. Identify compliant Certificate Authorities

Salesforce has published a list of CAs that will continue to support Client Auth EKU-only certificates. Review this list and begin planning migrations for affected integrations.

9. Budget for potential rework

Some integrations may require significant reconfiguration. Build this into your 2026 IT planning and budgets.

Frequently Asked Questions

What happens if I miss the February 5 deadline?

Your integrations won't immediately break on February 5. However, as Salesforce certificates naturally rotate over the following weeks and months, any system that doesn't trust the new root will fail to connect. The risk is unpredictable failures rather than a single cutover event.

Do these changes affect Salesforce Financial Services Cloud specifically?

These certificate changes apply to all Salesforce products, including Financial Services Cloud, Sales Cloud, Service Cloud, and Experience Cloud. Any Salesforce environment your firm uses is affected.

What about third-party apps from the AppExchange?

Third-party applications that connect to Salesforce will also be affected. Contact your vendors to confirm they've updated their trust stores and certificate management practices.

How do I know if my trust stores are current?

Your IT team can check whether DigiCert Global Root G2 is included in your system trust stores. Most modern operating systems and browsers include it by default, but enterprise environments often use custom trust stores that require manual updates.

Should I attend the Salesforce webinars?

Yes—especially if you have specific questions about your environment. Salesforce is holding follow-up webinars on February 3, 2026 (16:00 UTC and 23:00 UTC) to address questions about the February 5 and March 15 milestones.

How Vantage Point Can Help

Navigating certificate transitions across complex integration ecosystems requires both technical expertise and financial services context. Vantage Point helps wealth management firms:

• Audit integration landscapes to identify all certificate-dependent connections
• Implement trust store updates across Salesforce, MuleSoft, and connected systems
• Design certificate management strategies that scale with shortened lifespans
• Architect mTLS solutions that comply with the new dual-use restrictions
• Test and validate critical integrations before and after transitions

These security transitions are exactly the kind of technical infrastructure work that prevents problems when done proactively—and causes crises when overlooked.

The Bottom Line

Salesforce's 2026 certificate transitions reflect broader industry movement toward shorter-lived, more secure certificates. For financial services firms, the question isn't whether to adapt—it's whether you'll adapt proactively or reactively.

With February 5 just days away, the time for planning is over. The time for action is now.

Need help assessing your integration readiness? Contact Vantage Point to discuss your Salesforce environment and ensure these transitions don't disrupt your operations.

Vantage Point specializes in Salesforce implementation and integration for financial services firms. We help wealth management organizations build secure, scalable technology foundations that support growth while maintaining the reliability clients expect.