What the heck is a self-signed certificate and how do I renew it? - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Brad HoldenBrad Holden 

What the heck is a self-signed certificate and how do I renew it?

Ok I am sorry for being a complete newbie... I have spent the last year grappling with some very minor Salesforce development (on a part-time basis) for a small non-profit. I have learned a lot, but still have only placed a very tiny scratch on the surface! 
So now our Self-Signed Certificate is apparently expiring and I have NO IDEA what that means. Any googling of this quickly gets into going-over-my-head territory. Can someone please explain what I have to do and what is in danger of happening if I don't do it? Here's the message:

You have one or more certificates in your Salesforce org Tin Roof Global 00D6100000084nr that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

I have gone to Certificate and Key Management and have downloaded the .crt file but am really unsure what I am supposed to do with it!

Thanks in adavance
Best Answer chosen by Brad Holden
LBK MuthukrishnanLBK Muthukrishnan
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.

All Answers

LBK MuthukrishnanLBK Muthukrishnan
Certificate and Key Management section helps you with generating self-signed certificates and manage all your certificates (self and 3rd party).

When you visited this page, you would have noticed that one of your certificates has an Expiration Date that is in the near future.

You have to take the following steps to fix this.

1. Generate a new certificate

2. Find where you are using the old certificate and replace it. For example, Identity Provider, REST Service, etc.

Hope this helps.

Brad HoldenBrad Holden
Hi LBK. Thanks for your response. So I generated a new certificate and named it the same as the last one, changing only the date. It's now in the list of certificates... but I need to do something else with it? How do I find out where I was using the old certificate? And how do I replace it? Sorry... not knowing exactly what it is that these things do is making this more difficult than it probably sould be! Thanks.

User-added image
LBK MuthukrishnanLBK Muthukrishnan
Hey Brad,

There are few places where a sefl-signed certificate could be used.

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider.

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.

If your certificate is used in one of the above places, it is quite intuitive to edit this screen and replace the certificate.

3. Installed Packages / Connected Apps.
Some of the third party apps could use your Self-Signed Certificates (Environment Hub is an example).
You can look at them in Setup >> Build >> Installed Packages
I suggest you go through them one at time and find out if they use your certificate.

Connected Apps will be same procedure as above. But you will find the connected apps under Setup >> Manage Apps >> Connected Apps.

Hope this helps.
This was selected as the best answer
Brad HoldenBrad Holden
Cool. It appears we were using it for the Identidy Provider. I replaced it with the one I generated and am now crossing my fingers that nothing strange happens! Thank you very much for your help LBK. Much appreciated.
Mike ArthurMike Arthur
Hi Brad,

How did you identify that it was being used for Id Provider for SSO?

LBK - If I renew the certificate, do I need to do anything with whatever is using it?

Mike ArthurMike Arthur

I'm looking at Installed Packages - how can I tell if it uses a certificate?  I don't see anything obvious.

Many Thanks,
Trisha BatesTrisha Bates
Hi Brad,

I have just received the same email and also as a newbie I am not really sure what this is. How did you find out what the certificate related to? Thanks
Randi ThompsonRandi Thompson
I've never seen this before, either, and just this morning, received 8 notifications. Would love to know how folks figured out what areas were using the certificate.
Mike ArthurMike Arthur
Hi Randi, Under Certificate and Key Management, I renamed the expiring one and created a new cert with the same name as the original. There don’t appear to have been any problems. Thanks, Mike.
Mani kanthMani kanth
Hi Brad,

I'm also facing the same issue, can anyone suggest me how to come-up with this.
Gareth HernandezGareth Hernandez
I'm receiving a notification that a certificate is expiring in 10 days,  it references an Org ID that doesn;t match our Production or Sandbox Org IDs.  I tried the previous recommendations regarding the Indentiy Providers, SSO and  installed packages but did not find anything obvious,  nor was there any certificates in any of our orgs when i reviewed the certificate management section.   Any suggestions would be appreciated,  fyi...  I'm not a developer but a button click admin.Thanks in advance -Gareth   
Amanda StylesAmanda Styles
So happy to find this thread.  I was having the same problem, and LBK's answer helped me so much!
Linda SmithLinda Smith
Also received an email that the self-signed certification was expiring. I was able to create a new certification and find where it was being used and replaced it.  However, a big however, I still don't know what it is, nor do I know who created the original certification?  I am NOT a SalesForce newb, been using since 2004, but lately I feel like one.
Chad Todd, MBAChad Todd, MBA
I am in this boat as well.  Following for an answer.  How do I absolutely tell what installed packages or apps are using this certificate?  Under "Installed Packages" and clicking on a package is this found in "View Dependancies"?  What am I looking for?
Olga UshakOlga Ushak
I did the recommended steps (created a new certificate, replaced the expired one with the new one on SSO settings and Identity check). Now none of the SSO-enabled users can log in. What else is missing?
Aaron JohnsonAaron Johnson
Like Chad, I need to know what i'm looking for under installed packages... where do I need to go to verify the cert?
Razaele GarciaRazaele Garcia
Hi! I am also a newbie. When I go to Single Sign-On Settings, SAML is not enabled and there are no SAML Single Sing-On Settings listed. Does that mean I can ignore the expiring certificate? Thanks!
Andrew KuharichAndrew Kuharich
Curious to know if this is safe to do during 'business hours'? Any chance of interuption to users?
Shivangi GuptaShivangi Gupta
Can we renew the certificate before it expires? And how we should replace the cert with the new one? Any help would be appreciated! Thanks.
Bruce StewartBruce Stewart
As @LBK stated, this may be used in/by Environment Hub.  So if we've played a bit with SFDX, the large volume of expiring notices may be due to that.  I tracked creation of my Self-Signed cert to the time/date that I also set up MyDomain, and "Installed Connected App SalesforceDX Namespace Registry".   I see this on creating a cert (https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) for DX, but not much on renewing / replacing as we're all eager to hear here.  Did creating a new cert with the same name truly resolve all issues?
Bruce StewartBruce Stewart
FYI - Found this on StackExchange:  https://salesforce.stackexchange.com/questions/107399/can-i-simply-disable-an-automatically-created-identity-provider
shweta chadhashweta chadha
Yes, it is completely safe to do during business hours. However, please check whether the certificate is related to internal site/external website or it is self-sign cert.
In any case except self-sign you just need to change in "certificate and key management".
In case of self-sign cert, you need to change in three places:
1) Create new self sign cert under "Certificate and key management"
2)Go to setup->Identity Provide and select the new Self sign cert
3)Go to SIngle-Sign on Settings under setup and choose the "request Signing certificate".
Philipp MathisPhilipp Mathis
I can't delete the one that has been expired. the delete button is not showing up. how can I delete it?
Philipp MathisPhilipp Mathis
User-added image
thanks for your help
shweta chadhashweta chadha
You need to create new Self Sign certificate by clicking on Self-Sign cert under Certificate and Key management.
Replace the Old cert with new self-sign cert in the following places:
1) In Certificate and Key Management ->Check API client Certificate and if you see Old self-certificate is there then replace it with new self-sign cert
2) Setup->Identity provider -> Edit and change the self sign certificate
3) Setup-> Single Sign On -> edit->Request Signing Certificate and replace it with new self-sign cert. 

After making all these changes, you will be able to see Delete button.
Philipp MathisPhilipp Mathis
perfect thanks!
Alice RebaudoAlice Rebaudo

a question.Si, I generated a new certificate and now I would like to change it in the Identity provider but I have this wanring message
User-added image

What should I do?

Priyank DimriPriyank Dimri
Hi All / LBK, 

Let me put it through this way, I have checked our Single Sign On settings and Identity provider. We have noting set up / configured there. Now, as you mentioned where in Installed Apps and Connected Apps do I go and check if Self signed certificates are being used there or anny where else for integration purpose ? 

Just to add we have one our websites integrated with Salesforce and also a salesforce Pardot integration. 

Thanks !
Andrea RyanAndrea Ryan
HI All - 

I must be missing something very obvious, but I am looking at the Installed Apps and I do not see ANYTHING that indicates which ones are using the certificate and which ones are not.  Also, I definitely do not see any way to switch any of them to use the newly created certificate.  I just did this in our sandbox and it has definitely disconnected several of our Installed Apps and I can't see any way to reconnect them?  The only advise in this thread regarding Installed Apps is, "go through them one at time and find out if they use your certificate."  How does one actually DO THAT?

Mike ArthurMike Arthur
Hi Andrea, Not sure if it answers your situation but there’s some useful information on self signed certs from Fabrice here - https://saas-components.com/sfdc-expiring-certificate/ Thanks, Mike.
Andrea RyanAndrea Ryan
Thanks, Mike.  This is really helpful.  I think our cert was just generated automatically by one of those proecesses and isn't actually doing anything.  I'm going to roll the dice ont hat and hope nothing breaks!  Thanks for your help!
Ashlynn SylvainAshlynn Sylvain
I also can't figure out whether my certificates are used for any installed packages or connected apps. They are definitely not being used for SSO or IP, but not sure what I am looking for with apps and packages. Can anyone provide guidance as to WHERE the certificate use would be indicated when looking at any installed package or connected app? 
Adeep RokaAdeep Roka
"Warning: If you change this certificate, users can't connect to service providers until you reconfigure each service provider to work with the new certificate."  When I try to update in the Identity Provider Setup this is the message that shows up.  what should I do here? we do have web, mobile (not mobile 1), and couple of integration partners. Does this mean i have to change something else? Any help is appreciated. 
Emily WaltonEmily Walton
I am having an issue that I have a self-signed certificate that is going to expire, but I can't find where it is used. I looked in Identify providers and in single-sign-on-settings and it's not there. And when I ook at Connected Apps and Installed packages I don't see anywhere it would even show me if they were using a self-signed certificate. Is it possible that it's not being used? Isn't there some easy way to find where it's being used? 
Andrea RyanAndrea Ryan
@emilywalton you very likey aren't using the certificate at all.  It probably got generated automatically by another proecesses.  If you aren't seeing it listed under single sign on or idenity providers then its ok to let it expire.  Its annoying that there isn't a more clear UI that just tells you if its being used, but I had the same situation and I let it just expire and nothing broke.  Best of all, those annoying emails stopped and in theory will never come back.  Hope that helps.
Paula ElliottPaula Elliott
I received 4 of these notifications this morning 3 say they are for Sandboxes and have my email along with emails for Salesforce employees.  Why would the salesforce emails be on it?
Connie CannonConnie Cannon
How does one tell if a connected app is using one of my signed certificates?  How do I tell which one.  I see the question is asked several times above but there is no real answer.  Step by Step please.
Jeff MitchellJeff Mitchell
I am fairly sure the issue in my instance is due to a certificate that was auto-generated via another process. To second Connie's point, is there a specific section to check where on the Connected Apps and Installed packages a certificate may be being used? I see it applied to our identity provider but without any service providers associated which leaves me to believe nothing may happen if it expires.
Bernardette AbogadoBernardette Abogado
this helped me so much!!! Thank you to everyone that shared their knowledge, I was able to create and change my certificates and im new at this, again thanks!
Ashley ParfittAshley Parfitt
Very useful info here, the link that Bruce Stewart left answered the question for me so thanks for that :)
Kris RyanKris Ryan
I am unable to delete my old certificate and am in the same boat as a LOT of people on this thread. Where do I look in regards to the Installed Packages and Connected Apps to determine if any of them are using the old certificate??
Hermen FeltenHermen Felten

I'm not an expert by any means but I found this article, maybe it creates more clarity on this question. Start at Step 9. 

I can't find a 'SAML Service Provider Settings' Section or 'IdP Certificate' Field on any of my Connected Apps so that must mean I don't use a certificate for that app.


Michael Andrew WrightMichael Andrew Wright
I just created a new certificate. Found the old one in use in one location - assigned the new. Deleted the old one. Everything is still working.
Dave CavicchiaDave Cavicchia
I am a newbie as well and came across this exact issue today. This thread was amazing and walked me through the process. Thank you so much! I appreciate that the SF community is a helping community! 
Aliesha HansenAliesha Hansen
Thanks so much for this Very Helpful info here! Much appreciated!
Stephanie LeithStephanie Leith
Hello All, 
I see this asked a few times in the thread, but I don't think I'm seeing a clear answer. 

What is the recommended way to determine if an installed package is using the Self Sign-On Certificate? Is there any clear indicator? Or a certain type of integration that tends to use them? Or do I need to go into the package and view dependencies? I'm not seeing anything there, but perhaps I need to look elsewhere. 

Thank you! 
Simona MartinSimona Martin
Hey... this was very helpful.  I managed to find where the expiring self-signed certicate is being used.  I created a new certificate.  However, it says I can't use it to replace the expiring one... "You can't use this certificate until it's been signed by a certificate authority and imported into your organization."  How do we get it signed by a certificate authority?  
I always appreciate the wisdom of this forum!  Thanks in advance.
Sarah BactolSarah Bactol

Hi All,

Is there any issue with allowing the self signed certificate for past sandboxes to expire? 

We keep some old sandboxes around that are past iterations of production org.

David BaumannDavid Baumann

Hi folks,

recently I had the same issue and another place where the certificate is referenced in setup is "Identity provider". I assume that the certifcate gets autocreated when you enable "my domain" since you could use salesforce for SSO from then on (no guarantee)




Stephanie AstorStephanie Astor
I have renewed my certificate, but we don't have any documentation on where its being used.  i have checked

1. Identify Provider - If you are using SFDC as IDP for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Identity Provider. - we are not using any service providers

2. Single Sign-On Settings - If you are using SFDC as Consumer for Single Sign On. You can find it under Setup >> Administer >> Security Controls >> Single Sign-On Settings.  - we are not using any single sign on settings

So - I need to look each installed package - but I don't know what I am looking for - can someone please advise?

Radha LingutlaRadha Lingutla
where do I need to go to verify the certificate in Connected apps.
Lasha AbashidzeLasha Abashidze
Hi Stephanie,
You have to open each Connected App and if you will find there "SAML Service Provider Settings", it means this App is using the certificate.
User-added image
Hana LokeyHana Lokey
Hi all, 

This thread is helpful but a bit overwhelming. I have Self-signed certificate that is set to expire in 30 days. I am pretty sure it was created automatically when my org created a "my domain". We do not use single sign-on. I can see it listed under the Identity Provider page.

I saw this in a Salesforce article:
Depending on your situation, the expired certificate must be replaced in the following places to be able to resolve the issue:
1. Single Sign On - You could be using the certificate as the "Request Signing Certificate" for an SSO setting.
2. Connected Apps - You could be using the expiring certificate in an App configuration, such as for SSO (OAuth)set up through the App. 
3. Identity Provider - This feature was enabled by default in many orgs, causing automatic creation of a self-signed certificate. This is because when it is enabled, it requires a certificate to be set in the settings. If you are not using this feature, you could choose to deactivate the feature to avoid needing to keep an up-to-date certificate in place in the settings. 

But how do I see if it's actually being used anywhere? Thanks.
Lasha AbashidzeLasha Abashidze
Hi Hana,

I think the only way to solve this issue is to contact the app support team. I've done all the steps and all recommendations and spent a lot of time, but it didn't work. Then we contacted to the support of the app (you have to find which app is using this certificate, in my case it was Adbook) and they did this update from their side. Also, they told us that we are not able to update it from our side, so next year, we'll contact them again. I think it will be better if you reach out to support regarding this.
Shay DavisShay Davis
Super helpful thread, everyone. Thank you!!
Tim BouscalTim Bouscal
@Gareth and others.  If you receive a notice and the ID doesn't match production or sandbox ids it is most likely from a sandbox that has been refreshed recently.  I've encountered the same thing and had a record of prior sandbox IDs to confirm.
Alexander DowAlexander Dow
Spent a decent amount of time on this and was overwhelmed with understanding this thread and misunderstanding some details so I contacted tech support and they walked me through these steps.   Hoping this is accurate, and all orgs/builds different, but these are the notes I'm using for next year if they help anyone else?

Certificate and Key Management Expiring:
  1. Go to setup
  2. Search “Certificate and Key Management”
  3. Click on existing certificate about to expire
  4. Hover over the “Delete” button (that should be grayed out) and it will tell you where it’s used (take note)
  5. Copy existing certificate name
  6. Go back to “Certificate and Key Management” and choose “Create Self-Signed Certificate”
  7. Paste in name in label and change to current year (e.g. 2019 to 2020) and save
  8. Search “Single Sign-on Settings” from Setup, if not used don’t worry about.  If used check for documentation or with tech support on how to update.
  9. Search “Identity Provider” from setup and switch to new certificate
    1. Click “edit” and choose the drop down menu to the newly created certificate
    2. If an app needs the certificate in the future you can choose “Download Certificate” and send them the certificate. 
  10. From Setup look up “Connected Apps”
    1. Click on “Manage Connected Apps"
    2. If the apps have an envelope with a blue arrow there’s  nothing further to worry about managed packages don’t need certificate
    3. If Connected Apps don’t have envelope with blue arrow, investigate if they need further. 
Martin WestlakeMartin Westlake
I don't get the 3 options the Best Answer suggests eg I get only Delegated Administration when I type in admi in the quick find box.
Su WangSu Wang
Hi, Alexander:
Your post is so helpful!  Thanks for sharing!  While you were working with SF tech support, have you asked them if this can be safely done during business hours? There is a post before you saying it is SAFE but I would like to know from the SF tech support to be sure.


Alexander DowAlexander Dow
Hi Su, 

Glad it helped!  (I hope.)  I didn't specifically ask about making updates during business hours since our certificate wasn't in use, it wasn't an applicable ssue. So if your certificate is not being used by another source to connect, I wouldn't think it would matter when you do the certificate update. 

But if the certificate is in use somewhere in your org, I don't know if there's a lag time between switching the expired certificate and the next certificate.  I would assume that you would need to connect the certificate manually to each process that uses it (either a Single-Sign on, Identity Provider, or Connected App?) But unfortunately I can't advise on that process. 

Good luck! 

Su WangSu Wang
Hi, Alexander, thanks for your reply!  I did it yesterday with the watch of a Salesforce Support to successfully update (renew) our certificate yesterday during business hours.  It only takes a few seconds if you are well prepared.  It did not cause any glitches in our system.  We do use it for SSO and Identity Provider.  Here are what I have done:
  1. At Certificates and Keys Management, update our current certificate that was about to expire with "Old" attached to the Label and the Unique Name
  2. Create a new Self Signed Certificate using the current certificate name
  3. Update your Identity Provider with the current certificate name
  4. Update your SSO setting with the current certificate name
NOTE: The key is keeping the certificate name not changed so whereever it is used in other system, say Azure, they don't need to update it. Step 3 and 4, after you attached "Old" to the expiring certificate, they are auto-updated with "Old" attached, so you will need to update there to the current name.

Hope this comment helps other people in our situation.

Louise KellyLouise Kelly
I am so grateful for all of the insights provided here. One thing that still confuses me though: for orgs where the certificate was automatically created during the setup of a My Domain, and where the org does not use the certificate for ANY other purpose - is it OK to just let the certificate expire? I work with really small nonprofits and having to remember to create a new certificate every year is just one more source of complexity in managing this increasingly complex platform. I'd love to be able to tell these orgs that they don't need to worry about this...
Tim BouscalTim Bouscal
Hi Louise, if it isn't being use it's fine to let it expire.  You may still get email about it but it's infrequent.
Louise KellyLouise Kelly
Thanks Tim. So to be clear - the system says it is being used by the Identity provider-  that got automatically setup when I set up a My Domain for each org (something that Salesforce is requiring every org to do). So what I don't fully understand is what happens to My Domain functionality if the certificate that was automatically generated during My Domain setup is allowed to expire...
Tim BouscalTim Bouscal
Louise, nothing changes with MyDomain unless there is an external source using it for some kind of integration or if you are using it for an identity provider.  Alexander Dow's response above will help you check everything you need to check.
Louise KellyLouise Kelly
Hi Tim - OK - thanks. The thing that is frustrating about this is when you write "or if you are using it for an identity provider" - since the simple act of setting up My Domain automatically creates a certificate that is then automatically used by an identity provider.  So - if the certificate used by the identity provider, which is tied to My Domain - expires- what happens to the My Domain functionality?
Tanya DasguptaTanya Dasgupta

Hi guys,

Quick tip, if this is helpful to anyone: 

To check where your certificates are used in your ORG. : 
From Setup go to the desired certificate and click it. If the Delete button on that certificate is grayed out, it means it is being used in your ORG. 
If you scroll over your Delete button it shows where that specific Certificate is being used.