Help! SFDC Expiring Certificate Notification – what do I do?
Salesforce tips

In this blog we will be walking through what to do if you receive this email from Salesforce:
“You have one or more certificates in your Salesforce org XXX XXXXX that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.
SelfSignedCert_xxx date_xxxxx, Self-Signed, expires on xx/xx/xxxx. Warning: This certificate will expire in xx day(s).”
Normally this email gets one of two reactions:
- Slight panic, what does this mean? Will it blow up if I do nothing?
- Or, you simply ignore it as spam and don’t think about it again until it either gets too annoying to ignore or something stops working.
First and foremost, don’t panic! Check the authenticity of the email, no files should be attached to the email and the sender should be: ‘Do not reply noreply@salesforce.com’. You may also get these emails regarding your sandboxes as well.
There are three reasons you will receive this email from Salesforce:
- Identity Provider
- Single Sign On
- Connected Apps
We will be replacing the Identity Provider Self-Signed Certificate in this blog, as this is the most common question we get asked, probably due to it being default in every Org. I will also show you how to check which one you need.
(Just on a side note: Always check the usage of certificates before deleting or replacing them, as there could be custom Apex code where the certificate is used in HTTP callouts.)
PART 1: Find that certificate!
Let’s locate the Certificate causing the notification – we know that sometimes this can be difficult, due to their obscure names.
1. Go to Setup
2. In the Quick find box start typing; Certificates and Key Management, then select it
3. On this page we can see all certificates both current and expired/expiring. You can check the name of the certificate against the name given in the notification from Salesforce here
TIP: To check where a certificate is being used, click on the certificate’s name to open it. You will notice that the delete button is greyed out. Hover over the delete button with your mouse pointer and it will tell you where it is being used, and why it cannot be deleted – just yet.
- Single Sign On Example – There are additional steps to update an SSO Certificate. NOTE: Do not simply follow the remaining steps of this blog if this is the case.
- Identity Provider Example – This is the one we will be updating in this blog…
PART 2: Replace that certificate!
Now for the fun part, to create and replace the certificate which is expiring.
1. First, we need to create a new Certificate. From the Certificate and Key Management screen, hit the Create Self-Signed Certificate button
2. Here you can enter the Label for your new certificate. You can also define things like if the key can be exported and key size. (We recommend you leave these as default.)
When naming these certificates, apply a meaningful convention, so you can identify them easily in the future, e.g. what type of certificate it is, followed by month and year of expiry. So, in this example I will use: Self Signed Feb 21.
The unique name should auto-populate, they can only contain underscores and alphanumeric characters. Once you have filled this in, click the Save button
3. Next, go to Identity Provider from the Setup menu.
You can see the expired certificate is in use, under the Currently Chosen Certificate Details.
Click the Edit button to change this
4. From the Setup Identity Provider page, you can now choose a new certificate. Go to the drop-down list and select the certificate you have just created, in this case: Self Signed Feb 21, then click Save.
You can see this has now updated to the new certificate:
5. If you head back to Certificate and Key Management you can now see the delete option is available next to the old certificate, so it is possible to now remove it or you can just retire the old one, by renaming it RETIRED, depending on your preference
And voilà, it’s all done and you will not get any more notifications (until the next one expires!).
I hope you’ve found this blog useful, if you would like to contact us to find out more or have any suggestions of topics you would like us to debunk, Click Here.
P.S. Let’s encourage Salesforce to restrict SFDC Expiring Certificate notification mails to specific users by upvoting this ‘Idea’ here: https://trailblazer.salesforce.com/ideaView?id=0873A000000E7JQQ
……………………………………………………………………………………………………………………………………………………….
Katie Ross is an experienced Salesforce Trainer at Giveclarity.
Giveclarity are a Salesforce partner working exclusively with charities, providing Salesforce consultancy, training and support.