Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Proactive Expired Certificate Notification Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Proactive Expired Certificate Notification Control

            Makes sure that active system administrators receive timely alerts before security certificates (SAML, Identity, JWT) expire.

            Control Name

            Proactive Expired Certificate Notification

            Control Overview

            Makes sure that active system administrators receive timely alerts before security certificates (SAML, Identity, JWT) expire.

            Description

            Assigns the "Receive Certificate Expiration Notification" system permission via a Permission Set to designated system administrators responsible for infrastructure maintenance.

            Recommended Configuration

            Create a dedicated permission set with the "Receive Certificate Expiration Notification" permission enabled and assign it to at least two active system administrators.

            Security Impact

            Prevents system disruptions and emergency security bypasses that often occur when certificates expire unexpectedly, forcing teams to scramble for quick fixes.

            Business Impact

            Maintenance of service uptime and disruptions for system users. Reduces the need for emergency changes that bypass standard DevOps/Change Management protocols.

            Security Risk If Not Configured

            Unnoticed certificate expiration leads to immediate service denial. In high-pressure outages, teams may temporarily resort to weak security practices to restore service, creating a window of vulnerability.

            Threat Scenarios

            System Availability: Users cannot log because the SAML signing certificate has expired. Integration Failure: Automated data syncs fail as JWT bearer flows reject expired certificates.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Higher risk for orgs with complex identity management or those using Salesforce as an IdP for many external downstream applications.

            Higher Risk When

            A former employee is set to receive notifications, or when the specific system permission is not assigned to anyone.

            Low Risk When

            A process exists to periodically review certificate expirations, or current administrators receive alerts regarding expiring certificates via other mechanisms.

            Business and Integration Considerations

            Requires a process to update external systems simultaneously when the Salesforce certificate is rotated to avoid a mismatch.

            Security Health Review Guidance

            Security Health Review scans the User and PermissionSet objects to verify that the PermissionsReceiveCertificateExpirationNotifications flag is assigned to active users with Admin-level access.

            Who Is Impacted

            Internal employees, administrators, and developers.

             
            Loading
            Salesforce Help | Article