Configure Salesforce DX with Travis CI

Author : Rajdeep Dua
Last Updated : May 2 2017


In this tutorial you will learn how to configure Salesforce DX ( to work with Travis CI (


  • You are currently a part of the Salesforce DX Pilot.
  • Your Github repository is setup with Travis CI. (Please refer to Getting Started guide for more details)
  • Travis CLI is installed (Version 1.8.8 was the latest in May 2017)

Setup JWT-Based Authorization Flow (headless)

  1. Make sure openssl is installed (instructions only for Linux based systems)

    $which openssl
  2. Generate Private Key and Certificate Signing Request

    1. The command below generates a 2048-bit RSA key pair, encrypts them with a password provided, and writes them to a file.

      openssl genrsa -des3 -passout pass:x -out server.pass.key 2048


      • genrsa : generate an RSA private key.
      • -des3 : encrypt the generated key with DES in ede cbc mode (168 bit key)
      • -passout : output file pass phrase source
      • -out : output the key to the file (server.pass.key) in this case
      • 2048 : Number of bits
    2. Next Create a key file from server.pass.key file

      openssl rsa -passin pass:x -in server.pass.key -out server.key
      • -in arg input file
      • -passin arg input file pass phrase source
      • -out arg output file
    3. Create a Certificate from the key file. We will use the openssl req command.

    The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

    openssl req -new -key server.key -out server.csr
    • -key arg input file
    • -out org outfile file for the certificate

    Note : When the openssl req command asks for a “challenge password”, press return, this leaves the password empty. This password is used by Certificate Authorities to authenticate the certificate owner when they want to revoke their certificate.

  3. Generate SSL Certificate

    openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
    • -in filename : This flag specifies the input filename to read a certificate from.
    • -out filename : This specifies the output filename to write to.

    server.crt is the x509 certificate and server.key is the private key.

  4. Log into Developer Hub, and navigate to Setup. Go to App Manager, then click the New Connected App button on the upper-left.

    1. Create a new Connected App with information and click Save. Ensure following fields are setup:

      • Set the Callback URL to: http://localhost:1717/OauthRedirect (default callback for Salesforce DX)

      • Check Use digital signatures and upload server.crt x509 certificate created in step 3 above

      • Add the following OAuth Scopes: basic, api, web, refresh_token

  5. Save the Consumer Key associated with the Connected App. We will need this for authentication using JWT

  6. Permission Sets

  1. Create a Permission set without any particular permissions, assign it your user and assign that perm set to the connected app.)

  2. Click the Manage button in Setup > Connected App , then Edit Policies. Under the OAuth policies subsection, change the Permitted Users combo box to be Admin approved users are pre-authorized. Save the options

    ../_images/connected-app-edit-policies.png ../_images/connected-app-oauth-policies.png
  3. Click Setup > Connected App > Manage Permission Sets.


    Select the profiles and/or perm sets that should be allowed to be pre-authorized to use this Connected App.


Test the JWT OAuth

$ sfdx force:auth:jwt:grant --clientid <CLIENT_ID> --jwtkeyfile server.key \
   --username --setdefaultdevhubusername

Expected output should be

Successfully authorized with org id 00D6F000001fvfYUAQ

Setup the Salesforce DX Environment with Travis

  1. Create a folder sfdx-travisci

    mkdir sfdx-travisci
  2. Create a new SFDX workspace inside the folder sfdx-travisci where repo was cloned

    sfdx force:workspace:create -n sfdx-travisci
  3. Initialize git

    git init
  4. Fork to your github account. Add your Github repo as a remote:

    git remote add origin
  5. Set your Consumer Key and Username using the Travis CLI.

    travis env set CONSUMERKEY <your_consumer_key> travis env set USERNAME <your_username>
  6. Create a folder called assets and add your private key server.key to the folder.

  7. Encrypt your private key server.key. Note –add flag will update the .travis.yml file with appropriate

    travis encrypt-file assets/server.key assets/server.key.enc --add
  8. Remove your private key

    rm assets/server.key
  9. Update the .travis.yml similar to the one in this repo, replacing with values from your specific environment.

  10. Make sure your Travis account is configured with this github repo

    ../_images/travis-ci-1.png ../_images/travis-ci-2.png
  11. Do a new checkin into the repo, this will trigger a new build in Travis.


Reference :