Salesforce Self-Signed Certificate Expiring Notice

Salesforce by default dispatches an email 60 days, 30 days, and 10 days prior to the certificate's expiration date. The email will look similar to the message below.

You have one or more certificates in your Salesforce org Company Name Organization ID that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

- SelfSignedCert_28May2019_231232, Self-Signed, expires on 5/28/2020. Warning: This certificate will expire in 30 day(s).

 

Instructions for Updating the Certificate

  1. Navigate to Salesforce and click Setup at the top of the page.
    mceclip0.png
  2. In the Quick Find box, located on the left-hand side, type Certificate and click Certificate and Key Management.
    mceclip1.png
  3. Click the Create Self Signed Certificate button and go through the steps for creating a new certificate.
    mceclip0.png
  4. Once the certificate has been created, type Single Sign-On Settings in the Quick Find/Search bar.
  5. Under the SAML Single Sign-On Settings section, click Edit next to the Single Sign-On name and change the Request Signing Certificate to the newly created certificate from the drop-down menu. Click Save. Depending on your SSO setup, you may need to complete this step multiple times. 
  6. After replacing the certificate in SAML Single Sign-On Settings, navigate back to the Certificate and Key Management page and verify the Delete button is present. If not, the old certificate is still being used in Salesforce. You may need to replace the certificate in the Identity Provider menu (see instructions below). Once replaced, the old certificate can be deleted, and you won't receive any more warning emails.
    mceclip0.png

If you are using ADFS, continue with the instructions below. If you are not using AFDS, the SSO certificate has been successfully updated and no further action is needed.

Update the Identity Provider

Depending on your instance setup, in addition to the above steps, you may need to perform the actions here to fully complete this process. 

  1. From the Setup menu, type in Identity to the Quick Find box and select Identity Provider under the Security Controls section. identity_provider_1.gif
  2. If you see the Label is still marked as your old certificate, go to Edit.
  3. From the dropdown, select the updated certificate you created, then click Save. identity_provider_2.gif

Note:

If using Okta or OneLogin for your SSO provider, no other action is needed. If you're using ADFS or Azure, follow the applicable steps below. If you use Imprivata (JIT), Jump Cloud (JIT), and Secure Auth (JIT), or Duo (JIT), you will need to change SSO configuration to match the new certificate. Please contact Support if you need assistance.

 

ADFS Users (after the above steps have been completed)

  1. Download the self-signed certificate and copy to ADFS server.
  2. In ADFS navigate to the Relying Party Trusts > Select Your Simpplr provider > Properties > Signature > Add new self-signed certificate.
  3. Remove the previous certificate.
  4. Verify.
  5. Navigate back to Salesforce and click Setup. Type Single Sign-On Settings into the Quick Find box and click the SSO name. Click Edit next to ADFS.
  6. Click the drop-down next to Request Signing Certificate and change it to the certificate you've just created. Click Save.

Azure Users (after the above steps have been completed)

  1. Create the certificate in your Azure portal. Select the ellipsis and download the PEM version.

  2. Upload in Salesforce under the Single Sign On Settings menu.

  3. Follow the steps in this article starting at step 5.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

1 comment
  • After completion, is there a way to check this was done correctly?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Articles in this section

See more