"You have one or more certificates in your Salesforce org that will expire soon." If that email landed in your admin inbox and triggered mild panic — good. It's real, it matters, and it's also very fixable. Here's what's happening and how to handle it without breaking anything.
Salesforce uses certificates to prove your org's identity to other systems. Self-signed certificates — the ones Salesforce generates for you — most commonly secure single sign-on (SAML), connected app integrations, and API handshakes with external services. They expire on a schedule, and when one lapses, whatever depends on it stops authenticating. Quietly. Usually on a weekend.
In Setup, search for Certificate and Key Management. You'll see every certificate in the org with its expiration date. The one from the warning email will be listed by its label and unique name. Note the expiration date — that's your deadline, and everything else in this post should happen before it.
This is the part that separates a five-minute fix from an outage. A certificate that nothing references can simply be allowed to expire — orgs accumulate orphaned certificates from old projects constantly. Before renewing anything, check the usual suspects:
If you check all of these and nothing references the certificate, document that and let it expire. Deleting orphaned certs is good hygiene; renewing them out of fear is how orgs end up with fifteen mystery certificates.
From Certificate and Key Management, create a new self-signed certificate. Give it a name that includes the year ("SSO_Signing_2026") — your future self will thank you during the next renewal. Salesforce generates it instantly; download it, because the other side of every connection will need it.
The order matters. Update the receiving systems before you switch Salesforce to sign with the new certificate:
Do it in a sandbox first if the org has one connected to a test IdP. And do it during business hours, deliberately — an afternoon of controlled switchover beats a weekend outage every time.
Test a login through SSO. Test one transaction through each integration that used the certificate. Once everything authenticates against the new cert, delete the old one after it expires — not before, in case something you missed is still pinned to it.
Certificates are a calendar problem, not a technical one. Put a recurring reminder 60 days before each expiry (the dates are all visible in Certificate and Key Management), and keep a one-line note of what each certificate serves. That single document turns the next renewal from archaeology into a checkbox.
If nobody in your company knows what your certificates do — or the person who set up SSO left in 2023 — that's a very normal reason companies bring us in. System health checks like this are standard Salesforce support work. Let's talk.
Founder of Thompson Technology. Salesforce and Account Engagement consultant for B2B companies.