Salesforce Self-Signed Certificate Expiring Notice

Salesforce by default dispatches an email 60 days, 30 days, and 10 days prior to the certificate's expiration date. The email will look similar to the message below.

You have one or more certificates in your Salesforce org Company Name Organization ID that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

- SelfSignedCert_28May2019_231232, Self-Signed, expires on 5/28/2020. Warning: This certificate will expire in 30 day(s).


Instructions for Updating the Certificate

  1. Navigate to Salesforce and click Setup at the top of the page.
  2. In the Quick Find box, located on the left-hand side, type Certificate and click Certificate and Key Management.
  3. Click the Create Self Signed Certificate button and go through the steps for creating a new certificate.
  4. Once the certificate has been created, type Single Sign-On Settings in the Quick Find/Search bar.
  5. Under the SAML Single Sign-On Settings section, click Edit next to the Single Sign-On name and change the Request Signing Certificate to the newly created certificate from the drop-down menu. Click Save. Depending on your SSO setup, you may need to complete this step multiple times. 
  6. After replacing the certificate in SAML Single Sign-On Settings, navigate back to the Certificate and Key Management page and verify the Delete button is greyed out/not available to click. This is how you know the certificate is in use. An active certificate cannot be deleted. If the Delete button is present and clickable, the old certificate is still being used in Salesforce. You may need to replace the certificate in the Identity Provider menu (see instructions below). Once replaced, the old certificate can be deleted, and you won't receive any more warning emails.

If you are using ADFS, continue with the instructions below. If you are not using AFDS, the SSO certificate has been successfully updated and no further action is needed.

Update the Identity Provider

Depending on your instance setup, in addition to the above steps, you may need to perform the actions here to fully complete this process. 

  1. From the Setup menu, type in Identity to the Quick Find box and select Identity Provider under the Security Controls section. identity_provider_1.gif
  2. If you see the Label is still marked as your old certificate, go to Edit.
  3. From the dropdown, select the updated certificate you created, then click Save. identity_provider_2.gif
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


  • After completion, is there a way to check this was done correctly?

    Comment actions Permalink
  • Hi Matthew, I've just followed these instructions, including updating the Identity Provider Label, and when I go back to Certificate and Key Management, there are three certificates - two expired with "edit" and "delete" buttons, and the one I just created with only "edit." When I click into the certificate the "Delete" option along the top is grayed out. Is this correct or have I done something wrong? Also, am I able to safely delete the expired certificates? TIA!

    Comment actions Permalink

Please sign in to leave a comment.

Articles in this section

See more