Salesforce

How to Refresh Salesforce Self-Signed Certificates (Before They Expire)

Brett Thompson
5 min read

That email from Salesforce is not a scam

"You have one or more certificates in your Salesforce org that will expire soon." If that email landed in your admin inbox and triggered mild panic — good. It's real, it matters, and it's also very fixable. Here's what's happening and how to handle it without breaking anything.

What self-signed certificates do in Salesforce

Salesforce uses certificates to prove your org's identity to other systems. Self-signed certificates — the ones Salesforce generates for you — most commonly secure single sign-on (SAML), connected app integrations, and API handshakes with external services. They expire on a schedule, and when one lapses, whatever depends on it stops authenticating. Quietly. Usually on a weekend.

Step 1: Find the expiring certificate

In Setup, search for Certificate and Key Management. You'll see every certificate in the org with its expiration date. The one from the warning email will be listed by its label and unique name. Note the expiration date — that's your deadline, and everything else in this post should happen before it.

Step 2: Figure out what actually uses it (the step everyone skips)

This is the part that separates a five-minute fix from an outage. A certificate that nothing references can simply be allowed to expire — orgs accumulate orphaned certificates from old projects constantly. Before renewing anything, check the usual suspects:

  • Single Sign-On settings — if you use SAML SSO, check which certificate the SSO configuration references as the request signing certificate.
  • Identity Provider setup — if Salesforce acts as an identity provider for other apps, the IdP certificate lives here.
  • Connected apps and integrations — middleware, ERP syncs, and custom API integrations may pin the certificate on their side.
  • Marketing automation connectors — if you run Marketing Cloud Account Engagement (Pardot), confirm whether your SSO setup is in the authentication path for the connector user; an expired SSO certificate can break more than logins.

If you check all of these and nothing references the certificate, document that and let it expire. Deleting orphaned certs is good hygiene; renewing them out of fear is how orgs end up with fifteen mystery certificates.

Step 3: Create the replacement

From Certificate and Key Management, create a new self-signed certificate. Give it a name that includes the year ("SSO_Signing_2026") — your future self will thank you during the next renewal. Salesforce generates it instantly; download it, because the other side of every connection will need it.

Step 4: Swap it everywhere, counterpart first

The order matters. Update the receiving systems before you switch Salesforce to sign with the new certificate:

  • Upload the new certificate to your identity provider or service provider configuration (Okta, Azure AD, whatever sits on the other side).
  • Update any integration middleware that validates the old certificate.
  • Then, in Salesforce, point the SSO or connected app configuration at the new certificate.

Do it in a sandbox first if the org has one connected to a test IdP. And do it during business hours, deliberately — an afternoon of controlled switchover beats a weekend outage every time.

Step 5: Verify, then clean up

Test a login through SSO. Test one transaction through each integration that used the certificate. Once everything authenticates against the new cert, delete the old one after it expires — not before, in case something you missed is still pinned to it.

The maintenance habit

Certificates are a calendar problem, not a technical one. Put a recurring reminder 60 days before each expiry (the dates are all visible in Certificate and Key Management), and keep a one-line note of what each certificate serves. That single document turns the next renewal from archaeology into a checkbox.

If nobody in your company knows what your certificates do — or the person who set up SSO left in 2023 — that's a very normal reason companies bring us in. System health checks like this are standard Salesforce support work. Let's talk.

Brett Thompson

Founder of Thompson Technology. Salesforce and Account Engagement consultant for B2B companies.

Need help with this topic?

Let's Talk