Expiring Certificate Notification

A Self-Signed Certificate is automatically created when the Salesforce as Identity Provider feature is enabled. This feature requires a certificate to be connected for the feature to be enabled. If you have no records under the Service Provider section, you are not using the feature. Simply delete the expiring certificate and do not replace it.

How to Replace an Expiring Certificate

Certificate expiration notifications are sent to prevent service disruptions at the 60-day mark, 30-day mark, 10-day mark, and day of expiry to system administrators as well as users that have the Modify All Data and View Setup permissions. 


  1. Go to Setup > Security > Certificate and Key Management and locate the certificate that is expiring soon (or already expired). You must generate a new self-signed certificate to replace it.
  2. Select Create Self-Signed Certificate and complete the form. Name the certificate with a meaningful name like “SelfSignedCert_date_time,” keep key size at 2048, and check as an Exportable Private Key.
  3. Associate the new certificate with your identity provider. Go to Setup > Identity > Identity Provider and edit the actual setup.
  4. Select the brand new certificate and click Save.

Note: You might notice a warning on this page. If you do not use single sign-on, you will not be affected by this warning. If you are using SSO, you will need to re-authenticate all service providers with the identity provider.

One way to know if you are using SSO: if the certificate is expired and you can use everything as usual, then you are not on SSO.

Additional Resources


Was this article helpful?
0 out of 0 found this helpful