You receive an email that a certificate is expiring or has already expired in your org. Unsure of what it means, a rise of panic bubbles up inside. What is this?

No need to panic. Salesforce certificates and keys are used for signatures that verify a request is coming from your org. They are used for authenticated SSL (Secure Sockets Layer) communications with an external website, or when enabling Salesforce as an Identity Provider for one or more service providers. Admins only need to generate a Salesforce certificate and key pair if they are working with an external website that needs to verify a request is coming from a Salesforce org.

In most cases this is an easy update. If the app for which a certificate was originally set up is no longer in use, or if the org is not using Single Sign-On (SSO) and its certificate – which is supplied by default to all orgs – it should be safe to delete the certificate. Otherwise, an admin will need to create a new certificate and update any apps that require the key. In this post, we will discuss Single Sign-On certificate notification, focusing on the steps to create a new certificate, update the app using it, and delete a certificate you no longer use.

Getting Started

Although multiple users may receive the email notification, System Administrator permissions are required to update or remove certificates. Admins should run through this checklist to understand where the certificate needs to be replaced. From Setup use the Quick Find for the following:

• Single Sign-On. The certificate could be used as the “Request Signing Certificate” for an SSO setting.
• Connected apps. The expiring certificate could be used in an app configuration.
• Identity Provider. Enabled by default in many orgs, this feature causes the automatic creation of a self-signed certificate. If you are not using the Single Sign-on feature, deactivating it avoids the need to keep an up-to-date certificate.

Once you have identified where the certificate needs to be updated, consider whether you need to create a new certificate or if you can simply delete the existing one.

Create a New Certificate and Update App

If the app for which a certificate was created is in use, you will need to create a new certificate and update the app with the new key. 

Step One: Find + Create a New Certificate

• Click on ‘Setup’. Locate the ‘Security’ folder and select the ‘Certificate and Key Management’ option. Alternatively, you can  search ‘certificate’ in the Quick Find box.
• Click on ‘Certificate and Key Management’. Duplicate this tab in your browser.
• On the duplicated tab, click on the Label name to open the details of the Certificate and Key. In this case, we are looking at the type: ‘Self-Signed’.

• Copy the Label information from your Certificate and Key Detail screen to the Self-Signed Certificate you will be creating.
• On the original tab, click ‘Create Self-Signed Certification’. Paste your old Label name and update the name using a similar naming convention to the expiring Certificate label. Click save and double check between the two tabs that the detail information is the same.

Step Two: Update the Appropriate App with the new Certification Key

• Click on ‘Setup’. In the Quick Find box type: ‘Identity’. You are going to update ‘Identity Provider’ and ‘Single Sign-On Settings’.
• Click on ‘Identity Provider’. Select ‘Edit’ and update the Label to the Certificate name you just made. Save.

• Click on ‘Single Sign-On Settings’. Select ‘Edit’ next to the name of the SAML (Security Assertion Markup Language) Single Sign-On Settings.

• Select ‘Edit’ and update the ‘Request Signing Certificate’. Save.

Step Three: Delete the Previous Certificate

• Go back to step one. Delete the previous certificate. This is an important step to ensure no other email notifications for this certificate are sent. It also ensures the expired certificate does not come up in a Health Check as a critical, high risk security setting.

Delete an Expiring Certificate

If the app for which a certificate was created is not needed, you can delete the certificate.

Step One: Find the Expired Self-Signed Certificate

• Click on ‘Setup’. Locate the ‘Security’ folder and select the ‘Certificate and Key Management’ option. Alternatively, you can search ‘Certificate’ in the Quick Find box.
• Click on ‘Certificate and Key Management’. Find the Self-Signed certificate you want to delete. If there is no ‘Del’ option, click on the certificate label name.

• Hover the mouse over the Delete button. A message box will appear saying this certificate is in use in your Identity Provider.

Step Two: Find the Identity Provider

• Click on ‘Setup’. In the Quick Find box type: ‘Identity’. Click on ‘Identity Provider’.

• Double check the ‘Identity Provider Label’ name matches that of your Certificate name.

• Check if any Service Providers are using this certification by scrolling to the bottom. It should say ‘No Service Providers’, as this indicates you are not using the Single Sign-On certificate feature.
• Disable the Identity Provider. Note: if users are logging into a provider via Salesforce and you disable an Identity Provider, the users will need their username and password to log into those providers.

Step Three: Delete the Certificate

• Go back to the certificate. Go to ‘Setup’ and in the Quick find box lookup ‘Certificate’. Click on the self-signed certificate you want to delete, and the button will now be available to use.

• The certificate is now deleted and you will no longer receive email notifications.

Summary + Conclusion

Receiving an expiring certificate notification does not need to cause panic. In fact, updating certificates is an important part of ongoing system maintenance. Whether you need to update or delete the Single Sign-On certificate, there should be no service disruption to users, so long as it is handled before the certificate expires.

If your organization is interested in further Salesforce projects or administration, get in contact with us.