Salesforce by default dispatches an email 60 days, 30 days, and 10 days prior to the certificate's expiration date. The email will look similar to the message below.
You have one or more certificates in your Salesforce org Company Name Organization ID that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.
- SelfSignedCert_28May2019_231232, Self-Signed, expires on 5/28/2020. Warning: This certificate will expire in 30 day(s).
Instructions for Updating the Certificate
- Navigate to Salesforce and click Setup at the top of the page.
- In the Quick Find box, located on the left-hand side, type Certificate and click Certificate and Key Management.
- Click the Create Self Signed Certificate button and go through the steps for creating a new certificate.
- Once the certificate has been created, type Single Sign-On Settings in the Quick Find/Search bar.
- Under the SAML Single Sign-On Settings section, click Edit next to the Single Sign-On name and change the Request Signing Certificate to the newly created certificate from the drop-down menu. Click Save. Depending on your SSO setup, you may need to complete this step multiple times.
- After replacing the certificate in SAML Single Sign-On Settings, navigate back to the Certificate and Key Management page and verify the Delete button is present. If not, the old certificate is still being used in Salesforce. Replace the certificate here. Once replaced, the old certificate can be deleted, and you won't receive any more warning emails.
If you are using ADFS, continue with the instructions below. If you are not using AFDS, the SSO certificate has been successfully updated and no further action is needed.
Update the Identity Provider
Depending on your instance setup, in addition to the above steps, you may need to perform the actions here to fully complete this process.
- From the Setup menu, type in Identity to the Quick Find box and select Identity Provider under the Security Controls section.
- If you see the Label is still marked as your old certificate, go to Edit.
- From the dropdown, select the updated certificate you created, then click Save.
Note:If using Okta, OneLogin or Azure for your SSO provider, no other action is needed. If you're using ADFS, follow the steps below.
ADFS Users (after the above steps have been completed)
- Download the self-signed certificate and copy to ADFS server.
- In ADFS navigate to the Relying Party Trusts > Select Your Simpplr provider > Properties > Signature > Add new self-signed certificate.
- Remove the previous certificate.
- Navigate back to Salesforce and click Setup. Type Single Sign-On Settings into the Quick Find box and click the SSO name. Click Edit next to ADFS.
- Click the drop-down next to Request Signing Certificate and change it to the certificate you've just created. Click Save.