Ask Search:
Brad HoldenBrad Holden 

What the heck is a self-signed certificate and how do I renew it?

Ok I am sorry for being a complete newbie... I have spent the last year grappling with some very minor Salesforce development (on a part-time basis) for a small non-profit. I have learned a lot, but still have only placed a very tiny scratch on the surface! 
So now our Self-Signed Certificate is apparently expiring and I have NO IDEA what that means. Any googling of this quickly gets into going-over-my-head territory. Can someone please explain what I have to do and what is in danger of happening if I don't do it? Here's the message:

You have one or more certificates in your Salesforce org Tin Roof Global 00D6100000084nr that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

I have gone to Certificate and Key Management and have downloaded the .crt file but am really unsure what I am supposed to do with it!

Thanks in adavance
Best Answer chosen by Brad Holden
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 

All Answers

LBK .LBK .
Certificate and Key Management section helps you with generating self-signed certificates and manage all your certificates (self and 3rd party).

When you visited this page, you would have noticed that one of your certificates has an Expiration Date that is in the near future.

You have to take the following steps to fix this.

1. Generate a new certificate

2. Find where you are using the old certificate and replace it. For example, Identity Provider, REST Service, etc.

Hope this helps.

 
Brad HoldenBrad Holden
Hi LBK. Thanks for your response. So I generated a new certificate and named it the same as the last one, changing only the date. It's now in the list of certificates... but I need to do something else with it? How do I find out where I was using the old certificate? And how do I replace it? Sorry... not knowing exactly what it is that these things do is making this more difficult than it probably sould be! Thanks.

User-added image
LBK .LBK .
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
 
This was selected as the best answer
Brad HoldenBrad Holden
Cool. It appears we were using it for the Identidy Provider. I replaced it with the one I generated and am now crossing my fingers that nothing strange happens! Thank you very much for your help LBK. Much appreciated.
B
Mike ArthurMike Arthur
Hi Brad,

How did you identify that it was being used for Id Provider for SSO?

LBK - If I renew the certificate, do I need to do anything with whatever is using it?

Thanks,
Mike.
Mike ArthurMike Arthur
Hi LBK,

I'm looking at Installed Packages - how can I tell if it uses a certificate?  I don't see anything obvious.

Many Thanks,
Mike.
Trisha BatesTrisha Bates
Hi Brad,

I have just received the same email and also as a newbie I am not really sure what this is. How did you find out what the certificate related to? Thanks
Randi ThompsonRandi Thompson
I've never seen this before, either, and just this morning, received 8 notifications. Would love to know how folks figured out what areas were using the certificate.
Mike ArthurMike Arthur
Hi Randi, Under Certificate and Key Management, I renamed the expiring one and created a new cert with the same name as the original. There don’t appear to have been any problems. Thanks, Mike.
Mani kanthMani kanth
Hi Brad,

I'm also facing the same issue, can anyone suggest me how to come-up with this.
Gareth HernandezGareth Hernandez
I'm receiving a notification that a certificate is expiring in 10 days,  it references an Org ID that doesn;t match our Production or Sandbox Org IDs.  I tried the previous recommendations regarding the Indentiy Providers, SSO and  installed packages but did not find anything obvious,  nor was there any certificates in any of our orgs when i reviewed the certificate management section.   Any suggestions would be appreciated,  fyi...  I'm not a developer but a button click admin.Thanks in advance -Gareth   
Amanda StylesAmanda Styles
So happy to find this thread.  I was having the same problem, and LBK's answer helped me so much!
Linda XXXLinda XXX
Also received an email that the self-signed certification was expiring. I was able to create a new certification and find where it was being used and replaced it.  However, a big however, I still don't know what it is, nor do I know who created the original certification?  I am NOT a SalesForce newb, been using since 2004, but lately I feel like one.
Chad Todd, MBAChad Todd, MBA
I am in this boat as well.  Following for an answer.  How do I absolutely tell what installed packages or apps are using this certificate?  Under "Installed Packages" and clicking on a package is this found in "View Dependancies"?  What am I looking for?
Olga UshakOlga Ushak
I did the recommended steps (created a new certificate, replaced the expired one with the new one on SSO settings and Identity check). Now none of the SSO-enabled users can log in. What else is missing?
Aaron JohnsonAaron Johnson
Like Chad, I need to know what i'm looking for under installed packages... where do I need to go to verify the cert?
Ma. Razaele GarciaMa. Razaele Garcia
Hi! I am also a newbie. When I go to Single Sign-On Settings, SAML is not enabled and there are no SAML Single Sing-On Settings listed. Does that mean I can ignore the expiring certificate? Thanks!