How To Refresh Self-Signed Certificates

Recent Articles

How To Refresh Self-Signed Certificates

You’ve received a notification from Salesforce indicating that you have a self-signed certificate expiring soon.

Now what? Do you take a specific action? Do you ignore the notification and hope it goes away?

While a certificate expiration notification from Salesforce might seem confusing at first, the good news is that refreshing your self-signed certificates is actually quite simple. Let’s take a look at why you might receive this notification and a step-by-step guide for resolving the issue.

Why Did I Receive a Certificate Expiration Notification?

If your organization is using self-signed certificates, then you may receive a certificate expiration notification from Salesforce. A self-signed certificate is used for Single Sign-On (SSO) settings and for callouts to external sites to authenticate the callout. The self-signed certificate is used to prove that your organization’s communications are authentic.
A certificate expiration notification is sent to you to warn you that a certificate will expire and will cause service disruptions. These notifications are sent to you 60 days, 30 days, and 10 days before the expiration of your certificate. Finally, you’ll receive one last notice on the day of your expiry mark.

How To Handle a Certificate Refresh in Salesforce

When refreshing a self-signed certificate, you’ll actually be replacing an expired certificate with a new certificate.
To do so, you’ll start by creating a new certificate. Under Certificate and Key Management, you’ll click on the “Create Self-Signed Certificate” button and start by naming the certificate. It can be helpful to keep your naming convention similar to the certificate that is about to expire, using the new date to differentiate between the two certificates.

Once the certificate has been created, type “Identity Provider” into your quick find bar. Once inside this tool, replace the old certificate with the newly created self-signed certificate.

Now, you’ll head to “Single Sign-On Settings,” where you’ll replace the old certificate with the newly created certificate. Open the SAML Single Sign-On.

With the SAML Single Sign-On Settings opened, select the “Request Signing Certificate” option and pick your new certificate. Then, save the settings.

Once you have replaced the expiring certificate in both of these places, you can go ahead and delete the old certificate. This will stop the certificate expiration notification emails.

We hope this has been helpful on your journey. If you have any more questions, please reach out to us here.