What the heck is a self-signed certificate and how do I renew it? - Answers - Salesforce Trailblazer Community
Ask Search:
Brad HoldenBrad Holden 

What the heck is a self-signed certificate and how do I renew it?

Ok I am sorry for being a complete newbie... I have spent the last year grappling with some very minor Salesforce development (on a part-time basis) for a small non-profit. I have learned a lot, but still have only placed a very tiny scratch on the surface! 
So now our Self-Signed Certificate is apparently expiring and I have NO IDEA what that means. Any googling of this quickly gets into going-over-my-head territory. Can someone please explain what I have to do and what is in danger of happening if I don't do it? Here's the message:

You have one or more certificates in your Salesforce org Tin Roof Global 00D6100000084nr that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

I have gone to Certificate and Key Management and have downloaded the .crt file but am really unsure what I am supposed to do with it!

Thanks in adavance
Best Answer chosen by Brad Holden
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 

All Answers

LBK .LBK .
Certificate and Key Management section helps you with generating self-signed certificates and manage all your certificates (self and 3rd party).

When you visited this page, you would have noticed that one of your certificates has an Expiration Date that is in the near future.

You have to take the following steps to fix this.

1. Generate a new certificate

2. Find where you are using the old certificate and replace it. For example, Identity Provider, REST Service, etc.

Hope this helps.

 
Brad HoldenBrad Holden
Hi LBK. Thanks for your response. So I generated a new certificate and named it the same as the last one, changing only the date. It's now in the list of certificates... but I need to do something else with it? How do I find out where I was using the old certificate? And how do I replace it? Sorry... not knowing exactly what it is that these things do is making this more difficult than it probably sould be! Thanks.

User-added image
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 
This was selected as the best answer
Brad HoldenBrad Holden
Cool. It appears we were using it for the Identidy Provider. I replaced it with the one I generated and am now crossing my fingers that nothing strange happens! Thank you very much for your help LBK. Much appreciated.
B
Mike ArthurMike Arthur
Hi Brad,

How did you identify that it was being used for Id Provider for SSO?

LBK - If I renew the certificate, do I need to do anything with whatever is using it?

Thanks,
Mike.
Mike ArthurMike Arthur
Hi LBK,

I'm looking at Installed Packages - how can I tell if it uses a certificate?  I don't see anything obvious.

Many Thanks,
Mike.
Trisha BatesTrisha Bates
Hi Brad,

I have just received the same email and also as a newbie I am not really sure what this is. How did you find out what the certificate related to? Thanks
Randi ThompsonRandi Thompson
I've never seen this before, either, and just this morning, received 8 notifications. Would love to know how folks figured out what areas were using the certificate.
Mike ArthurMike Arthur
Hi Randi, Under Certificate and Key Management, I renamed the expiring one and created a new cert with the same name as the original. There don’t appear to have been any problems. Thanks, Mike.
Mani kanthMani kanth
Hi Brad,

I'm also facing the same issue, can anyone suggest me how to come-up with this.
Gareth HernandezGareth Hernandez
I'm receiving a notification that a certificate is expiring in 10 days,  it references an Org ID that doesn;t match our Production or Sandbox Org IDs.  I tried the previous recommendations regarding the Indentiy Providers, SSO and  installed packages but did not find anything obvious,  nor was there any certificates in any of our orgs when i reviewed the certificate management section.   Any suggestions would be appreciated,  fyi...  I'm not a developer but a button click admin.Thanks in advance -Gareth   
Amanda StylesAmanda Styles
So happy to find this thread.  I was having the same problem, and LBK's answer helped me so much!
Linda XXXLinda XXX
Also received an email that the self-signed certification was expiring. I was able to create a new certification and find where it was being used and replaced it.  However, a big however, I still don't know what it is, nor do I know who created the original certification?  I am NOT a SalesForce newb, been using since 2004, but lately I feel like one.
Chad Todd, MBAChad Todd, MBA
I am in this boat as well.  Following for an answer.  How do I absolutely tell what installed packages or apps are using this certificate?  Under "Installed Packages" and clicking on a package is this found in "View Dependancies"?  What am I looking for?
Olga UshakOlga Ushak
I did the recommended steps (created a new certificate, replaced the expired one with the new one on SSO settings and Identity check). Now none of the SSO-enabled users can log in. What else is missing?
Aaron JohnsonAaron Johnson
Like Chad, I need to know what i'm looking for under installed packages... where do I need to go to verify the cert?
Ma. Razaele GarciaMa. Razaele Garcia
Hi! I am also a newbie. When I go to Single Sign-On Settings, SAML is not enabled and there are no SAML Single Sing-On Settings listed. Does that mean I can ignore the expiring certificate? Thanks!
Andrew KuharichAndrew Kuharich
Curious to know if this is safe to do during 'business hours'? Any chance of interuption to users?
Thanks!
Shivangi GuptaShivangi Gupta
Can we renew the certificate before it expires? And how we should replace the cert with the new one? Any help would be appreciated! Thanks.
Bruce StewartBruce Stewart
As @LBK stated, this may be used in/by Environment Hub.  So if we've played a bit with SFDX, the large volume of expiring notices may be due to that.  I tracked creation of my Self-Signed cert to the time/date that I also set up MyDomain, and "Installed Connected App SalesforceDX Namespace Registry".   I see this on creating a cert (https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) for DX, but not much on renewing / replacing as we're all eager to hear here.  Did creating a new cert with the same name truly resolve all issues?
Bruce StewartBruce Stewart
FYI - Found this on StackExchange:  https://salesforce.stackexchange.com/questions/107399/can-i-simply-disable-an-automatically-created-identity-provider
shweta chadhashweta chadha
Yes, it is completely safe to do during business hours. However, please check whether the certificate is related to internal site/external website or it is self-sign cert.
In any case except self-sign you just need to change in "certificate and key management".
In case of self-sign cert, you need to change in three places:
1) Create new self sign cert under "Certificate and key management"
2)Go to setup->Identity Provide and select the new Self sign cert
3)Go to SIngle-Sign on Settings under setup and choose the "request Signing certificate".
Kayla Rose KarczKayla Rose Karcz
this is INCREDIBLE;-i just discovered that when i was 3 i have manic depression!! SoOoOo excited for this year!! 🤩
 
Philipp MathisPhilipp Mathis
hello
I can't delete the one that has been expired. the delete button is not showing up. how can I delete it?
Philipp MathisPhilipp Mathis
User-added image
thanks for your help
shweta chadhashweta chadha
You need to create new Self Sign certificate by clicking on Self-Sign cert under Certificate and Key management.
Replace the Old cert with new self-sign cert in the following places:
1) In Certificate and Key Management ->Check API client Certificate and if you see Old self-certificate is there then replace it with new self-sign cert
2) Setup->Identity provider -> Edit and change the self sign certificate
3) Setup-> Single Sign On -> edit->Request Signing Certificate and replace it with new self-sign cert. 

After making all these changes, you will be able to see Delete button.
 
Philipp MathisPhilipp Mathis
perfect thanks!
Alice RebaudoAlice Rebaudo
Hi, 

a question.Si, I generated a new certificate and now I would like to change it in the Identity provider but I have this wanring message
User-added image

What should I do?

Best, 
Priyank DimriPriyank Dimri
Hi All / LBK, 

Let me put it through this way, I have checked our Single Sign On settings and Identity provider. We have noting set up / configured there. Now, as you mentioned where in Installed Apps and Connected Apps do I go and check if Self signed certificates are being used there or anny where else for integration purpose ? 

Just to add we have one our websites integrated with Salesforce and also a salesforce Pardot integration. 

Thanks !
Andrea RyanAndrea Ryan
HI All - 

I must be missing something very obvious, but I am looking at the Installed Apps and I do not see ANYTHING that indicates which ones are using the certificate and which ones are not.  Also, I definitely do not see any way to switch any of them to use the newly created certificate.  I just did this in our sandbox and it has definitely disconnected several of our Installed Apps and I can't see any way to reconnect them?  The only advise in this thread regarding Installed Apps is, "go through them one at time and find out if they use your certificate."  How does one actually DO THAT?

Thanks
Mike ArthurMike Arthur
Hi Andrea, Not sure if it answers your situation but there’s some useful information on self signed certs from Fabrice here - https://saas-components.com/sfdc-expiring-certificate/ Thanks, Mike.
Andrea RyanAndrea Ryan
Thanks, Mike.  This is really helpful.  I think our cert was just generated automatically by one of those proecesses and isn't actually doing anything.  I'm going to roll the dice ont hat and hope nothing breaks!  Thanks for your help!
Ashlynn SylvainAshlynn Sylvain
I also can't figure out whether my certificates are used for any installed packages or connected apps. They are definitely not being used for SSO or IP, but not sure what I am looking for with apps and packages. Can anyone provide guidance as to WHERE the certificate use would be indicated when looking at any installed package or connected app? 
Adeep RokaAdeep Roka
"Warning: If you change this certificate, users can't connect to service providers until you reconfigure each service provider to work with the new certificate."  When I try to update in the Identity Provider Setup this is the message that shows up.  what should I do here? we do have web, mobile (not mobile 1), and couple of integration partners. Does this mean i have to change something else? Any help is appreciated. 
Emily WaltonEmily Walton
I am having an issue that I have a self-signed certificate that is going to expire, but I can't find where it is used. I looked in Identify providers and in single-sign-on-settings and it's not there. And when I ook at Connected Apps and Installed packages I don't see anywhere it would even show me if they were using a self-signed certificate. Is it possible that it's not being used? Isn't there some easy way to find where it's being used? 
Andrea RyanAndrea Ryan
@emilywalton you very likey aren't using the certificate at all.  It probably got generated automatically by another proecesses.  If you aren't seeing it listed under single sign on or idenity providers then its ok to let it expire.  Its annoying that there isn't a more clear UI that just tells you if its being used, but I had the same situation and I let it just expire and nothing broke.  Best of all, those annoying emails stopped and in theory will never come back.  Hope that helps.
Paula ElliottPaula Elliott
I received 4 of these notifications this morning 3 say they are for Sandboxes and have my email along with emails for Salesforce employees.  Why would the salesforce emails be on it?
Connie CannonConnie Cannon
How does one tell if a connected app is using one of my signed certificates?  How do I tell which one.  I see the question is asked several times above but there is no real answer.  Step by Step please.