Salesforce by default dispatches an email 60 days, 30 days, and 10 days prior to the certificate's expiration date. The email will look similar to the message below.
You have one or more certificates in your Salesforce org Company Name Organization ID that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.
- SelfSignedCert_28May2019_231232, Self-Signed, expires on 5/28/2020. Warning: This certificate will expire in 30 day(s).
Instructions for Updating the Certificate
- Navigate to Salesforce and click Setup at the top of the page.
- In the Quick Find box, located on the left-hand side, type Certificate and click Certificate and Key Management.
- Click the Create Self Signed Certificate button and go through the steps for creating a new certificate.
- Once the certificate has been created, type Single Sign-On Settings in the Quick Find/Search bar.
- Under the SAML Single Sign-On Settings section, click Edit next to the Single Sign-On name and change the Request Signing Certificate to the newly created certificate from the drop-down menu. Click Save. Depending on your SSO setup, you may need to complete this step multiple times.
- After replacing the certificate in SAML Single Sign-On Settings, navigate back to the Certificate and Key Management page and verify the Delete button is present. If not, the old certificate is still being used in Salesforce. You may need to replace the certificate in the Identity Provider menu (see instructions below). Once replaced, the old certificate can be deleted, and you won't receive any more warning emails.
If you are using ADFS, continue with the instructions below. If you are not using AFDS, the SSO certificate has been successfully updated and no further action is needed.
Update the Identity Provider
Depending on your instance setup, in addition to the above steps, you may need to perform the actions here to fully complete this process.
- From the Setup menu, type in Identity to the Quick Find box and select Identity Provider under the Security Controls section.
- If you see the Label is still marked as your old certificate, go to Edit.
- From the dropdown, select the updated certificate you created, then click Save.