Important: (Updated February 20, 2026) This topic is related to upcoming changes and additional setup required for the continued use of Outbound Messages (OBMs) in Nintex DocGen, in view of the deprecation of session IDs in Salesforce.

Setting up Outbound Message authentication

Due to the introduction of stronger security measures from Salesforce, Nintex DocGen will now require certificate based authentication on all Outbound Messages. Organizations that do not implement certificates will experience failures when sending Outbound Messages to Nintex DocGen.

The use of Salesforce certificates also allows administrators to securely manage certificates used for Salesforce API communications. This ensures that communication between Nintex's services and Salesforce remains secure.

Important: Using the Certificate Portal to sign in and configure a new certificate using the instructions below is the primary and supported approach to set up authentication for Outbound Messages.

If you already have a certificate (also known as Bring Your Own Certificate or BYOC) that is currently in use for Outbound Messages, use the Nintex Admin page to upload the existing certificate. See Add an existing certificate in Nintex Admin.

Use the Certificate Portal to sign in and configure a new certificate

Follow all the instructions in this section to create, sign, and upload a certificate in Nintex DocGen.

Create a certificate request (CSR) in Salesforce Setup

  1. In Salesforce Setup, search for Certificate and Key Management.

  2. Click Create CA-Signed Certificate.

  3. Fill in the required (*) fields.

  4. Click Save.

  5. Click Download Certificate Signing Request to download your certificate. You will need it in the following steps.

Fields

Description
Label

Name that describes the purpose and environment. This can be changed later.

  • Example: Outbound mTLS DocGen Prod
Unique Name

A unique name used by the API and managed packages. The name must begin with a letter and only use alphanumeric characters and underscores to replace spaces.

  • Example: Outbound_mTLS_DocGen_Prod
Common Name

A name that uniquely identifies this certificate in your organization.

  • Example: Nintex-1234

If this certificate is to be used as an http site certificate, then this name should reflect the site's domain name.

  • Example: www.site.com
Key Size

There are three available key sizes. Each key size has a fixed certificate validity period:

  • 2048‑bit - valid for 1 year (This is selected by default)

  • 3072‑bit - valid for 1 year

  • 4096‑bit - valid for 2 years

Company

You or your company's legal name
City The city or town where your organization is located.
Country Code

The two‑letter country code that identifies the country where your organization is located.

  • Example: US for the United States.
Exportable Private Key This is not required. We only need the public key.
State/Province The state or province where your company is located. Use the full name, not an abbreviation.
Use Platform Encryption

If your certificate will be used to upload a customer-supplied key, you must encrypt it using Platform Encryption. Select this checkbox, choose the 4096-bit key size, and deselect the Exportable Private Key option.

* This step is optional.

Obtain a signed certificate from Nintex

  1. Navigate to "http://api.docgen.nintex.io/obm/certificate-setup".

  2. Select the Salesforce environment you want to use, and click Sign In.

Note: Due to a login limitation setting in Salesforce, your login may fail. If a login is expired or a logout is identified from another Salesforce tab, a re-login is required.

  1. Log in with your Salesforce credentials.

  2. Click Allow to provide access to the signing portal.

  3. The page will show the Organization ID. Ensure the ID is correct and upload the CSR file.

    If your organization has any active certificate, it will be displayed under the Active Certificate for Your Organization section.

  1. Click Sign Certificate and wait until the process is complete.

  2. Click Download Certificate. The downloaded certificate is in the PEM file format.

  3. To upload your signed certificate, return to the Salesforce Certificate and Key Management page, find the CSR record in the list that you created previously, click on the name to view the record, then click Upload Signed Certificate.

  4. Select the certificate and click Save.
    This will be the signed certificate to secure all OBMs with Nintex DocGen. Once the certificate is linked, you cannot unlink it. Contact Nintex Support to unlink it.

Assign the signed certificate to Salesforce

  1. In the Certificate and Key Management page, under the API Client Certificate section, click Edit.

  2. Select the signed certificate you uploaded in the previous step.

  3. Click Save.

Note: You will only be able to assign a key once it's signed. Once set up, all Outbound Messages between Salesforce and Nintex services will be secured using this certificate.

Add an existing certificate in Nintex Admin

If you have an existing signed certificate currently in use for Outbound Messages, you can upload it to Nintex Admin. To do this, you will need to update your Nintex DocGen package to version 21.2.1 or later.

To upload your existing certificate:

  1. Click the Nintex Admin tab and go to Settings.

  2. Under API Client Certificate, upload your existing certificate.