Have you ever received one of these mysterious messages from Salesforce mentioning “expiring Self-Signed certificates“? Salesforce sends 4 notifications per expiring certificate. These emails are usually source of panic and confusion.
For a certificate to expire without you knowing what it is used for, typically means that it’s been automatically created “behind your back” by one of the processes mentioned below:
- Configuration of MyDomain on this org
- Use of the Environment Hub to spin this org
- An AppExchange application generated a self-signed certificate as part of its installation process
When you receive one of these emails, you basically have two options:
- You do indeed need a self-signed certificate and have to maintain it
- You don’t actually need any certificate and just want to stop receiving these scary emails
Do I really need a certificate?
The certificate is required when using Salesforce as an IdP (Identity Provider). This is the case when you’re login to external systems using your Salesforce username and password. It tends to be the other way around (SSO) but, let’s check:
- In Setup, navigate to “Identity Provider“
- Check the bottom section “Service Providers”. If it’s empty, then this org is not acting as an IdP and you can simply ignore this message and the following ones. Salesforce will continue to function as usual and you won’t receive another batch of emails next year
How do I renew a certificate?
If you’ve found one or more service providers you may want to check if they are actually used. If you keep at least one service provider, then, you need to take action on the email message from Salesforce:
- In Setup, navigate to “Certificate and Key Management”
* Create a new Self-Signed Certificate (Example: “Cert-2018”)
* Check “Exportable Private Key”
* Optionnaly set “Key Size” to 4096
Note: In the unlikely case where Salesforce uses a self-signed certificate with an external system, you will have to download the newly created certificate and update the other system.
- In Setup, navigate to “Identity Provider”
* Edit and change the certificate to the one you just created
* In one or two years time, depending on the size of the key, you will receive the same email and have to go through the same process
Related Posts & Resources
- Trailhead: Identity Trail
- Salesforce: Identity Providers and Service Providers
- GCHQ (!): Introduction to Identity and Access Management
- Salesforce: Certificates and Keys
I hope you enjoyed this post. Don’t hesitate to ping me on Twitter if you have any comment or question.