Ask Search:
Brad HoldenBrad Holden 

What the heck is a self-signed certificate and how do I renew it?

Ok I am sorry for being a complete newbie... I have spent the last year grappling with some very minor Salesforce development (on a part-time basis) for a small non-profit. I have learned a lot, but still have only placed a very tiny scratch on the surface! 
So now our Self-Signed Certificate is apparently expiring and I have NO IDEA what that means. Any googling of this quickly gets into going-over-my-head territory. Can someone please explain what I have to do and what is in danger of happening if I don't do it? Here's the message:

You have one or more certificates in your Salesforce org Tin Roof Global 00D6100000084nr that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

I have gone to Certificate and Key Management and have downloaded the .crt file but am really unsure what I am supposed to do with it!

Thanks in adavance
Best Answer chosen by Brad Holden
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 

All Answers

LBK .LBK .
Certificate and Key Management section helps you with generating self-signed certificates and manage all your certificates (self and 3rd party).

When you visited this page, you would have noticed that one of your certificates has an Expiration Date that is in the near future.

You have to take the following steps to fix this.

1. Generate a new certificate

2. Find where you are using the old certificate and replace it. For example, Identity Provider, REST Service, etc.

Hope this helps.

 
Brad HoldenBrad Holden
Hi LBK. Thanks for your response. So I generated a new certificate and named it the same as the last one, changing only the date. It's now in the list of certificates... but I need to do something else with it? How do I find out where I was using the old certificate? And how do I replace it? Sorry... not knowing exactly what it is that these things do is making this more difficult than it probably sould be! Thanks.

User-added image
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 
This was selected as the best answer
Brad HoldenBrad Holden
Cool. It appears we were using it for the Identidy Provider. I replaced it with the one I generated and am now crossing my fingers that nothing strange happens! Thank you very much for your help LBK. Much appreciated.
B
Mike ArthurMike Arthur
Hi Brad,

How did you identify that it was being used for Id Provider for SSO?

LBK - If I renew the certificate, do I need to do anything with whatever is using it?

Thanks,
Mike.
Mike ArthurMike Arthur
Hi LBK,

I'm looking at Installed Packages - how can I tell if it uses a certificate?  I don't see anything obvious.

Many Thanks,
Mike.
Trisha BatesTrisha Bates
Hi Brad,

I have just received the same email and also as a newbie I am not really sure what this is. How did you find out what the certificate related to? Thanks
Randi ThompsonRandi Thompson
I've never seen this before, either, and just this morning, received 8 notifications. Would love to know how folks figured out what areas were using the certificate.
Mike ArthurMike Arthur
Hi Randi, Under Certificate and Key Management, I renamed the expiring one and created a new cert with the same name as the original. There don’t appear to have been any problems. Thanks, Mike.
Mani kanthMani kanth
Hi Brad,

I'm also facing the same issue, can anyone suggest me how to come-up with this.
Gareth HernandezGareth Hernandez
I'm receiving a notification that a certificate is expiring in 10 days,  it references an Org ID that doesn;t match our Production or Sandbox Org IDs.  I tried the previous recommendations regarding the Indentiy Providers, SSO and  installed packages but did not find anything obvious,  nor was there any certificates in any of our orgs when i reviewed the certificate management section.   Any suggestions would be appreciated,  fyi...  I'm not a developer but a button click admin.Thanks in advance -Gareth   
Amanda StylesAmanda Styles
So happy to find this thread.  I was having the same problem, and LBK's answer helped me so much!
Linda XXXLinda XXX
Also received an email that the self-signed certification was expiring. I was able to create a new certification and find where it was being used and replaced it.  However, a big however, I still don't know what it is, nor do I know who created the original certification?  I am NOT a SalesForce newb, been using since 2004, but lately I feel like one.
Chad Todd, MBAChad Todd, MBA
I am in this boat as well.  Following for an answer.  How do I absolutely tell what installed packages or apps are using this certificate?  Under "Installed Packages" and clicking on a package is this found in "View Dependancies"?  What am I looking for?
Olga UshakOlga Ushak
I did the recommended steps (created a new certificate, replaced the expired one with the new one on SSO settings and Identity check). Now none of the SSO-enabled users can log in. What else is missing?
Aaron JohnsonAaron Johnson
Like Chad, I need to know what i'm looking for under installed packages... where do I need to go to verify the cert?
Ma. Razaele GarciaMa. Razaele Garcia
Hi! I am also a newbie. When I go to Single Sign-On Settings, SAML is not enabled and there are no SAML Single Sing-On Settings listed. Does that mean I can ignore the expiring certificate? Thanks!
Andrew KuharichAndrew Kuharich
Curious to know if this is safe to do during 'business hours'? Any chance of interuption to users?
Thanks!
Shivangi GuptaShivangi Gupta
Can we renew the certificate before it expires? And how we should replace the cert with the new one? Any help would be appreciated! Thanks.
Bruce StewartBruce Stewart
As @LBK stated, this may be used in/by Environment Hub.  So if we've played a bit with SFDX, the large volume of expiring notices may be due to that.  I tracked creation of my Self-Signed cert to the time/date that I also set up MyDomain, and "Installed Connected App SalesforceDX Namespace Registry".   I see this on creating a cert (https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) for DX, but not much on renewing / replacing as we're all eager to hear here.  Did creating a new cert with the same name truly resolve all issues?
Bruce StewartBruce Stewart
FYI - Found this on StackExchange:  https://salesforce.stackexchange.com/questions/107399/can-i-simply-disable-an-automatically-created-identity-provider
shweta chadhashweta chadha
Yes, it is completely safe to do during business hours. However, please check whether the certificate is related to internal site/external website or it is self-sign cert.
In any case except self-sign you just need to change in "certificate and key management".
In case of self-sign cert, you need to change in three places:
1) Create new self sign cert under "Certificate and key management"
2)Go to setup->Identity Provide and select the new Self sign cert
3)Go to SIngle-Sign on Settings under setup and choose the "request Signing certificate".
Kayla Rose KarczKayla Rose Karcz
this is INCREDIBLE;-i just discovered that when i was 3 i have manic depression!! SoOoOo excited for this year!! 🤩
 
Philipp MathisPhilipp Mathis
hello
I can't delete the one that has been expired. the delete button is not showing up. how can I delete it?
Philipp MathisPhilipp Mathis
User-added image
thanks for your help
shweta chadhashweta chadha
You need to create new Self Sign certificate by clicking on Self-Sign cert under Certificate and Key management.
Replace the Old cert with new self-sign cert in the following places:
1) In Certificate and Key Management ->Check API client Certificate and if you see Old self-certificate is there then replace it with new self-sign cert
2) Setup->Identity provider -> Edit and change the self sign certificate
3) Setup-> Single Sign On -> edit->Request Signing Certificate and replace it with new self-sign cert. 

After making all these changes, you will be able to see Delete button.
 
Philipp MathisPhilipp Mathis
perfect thanks!
Alice RebaudoAlice Rebaudo
Hi, 

a question.Si, I generated a new certificate and now I would like to change it in the Identity provider but I have this wanring message
User-added image

What should I do?

Best, 
Priyank DimriPriyank Dimri
Hi All / LBK, 

Let me put it through this way, I have checked our Single Sign On settings and Identity provider. We have noting set up / configured there. Now, as you mentioned where in Installed Apps and Connected Apps do I go and check if Self signed certificates are being used there or anny where else for integration purpose ? 

Just to add we have one our websites integrated with Salesforce and also a salesforce Pardot integration. 

Thanks !