Loading

SSL Certificate Expiration Warning in Salesforce

Udgivelsesdato: Apr 2, 2026
Beskrivelse

Overview

Salesforce uses SSL certificates to secure data communications, authenticate users via Single Sign-On (SSO), and establish trusted connections with external systems. When these certificates approach their expiration date, Salesforce sends automatic email notifications to relevant administrators to prevent service disruptions.

Why You Receive Certificate Expiration Notifications

Salesforce sends certificate expiration notifications to prevent service disruptions, such as inability to access custom domains or SSO (Single Sign-On) authentication failures. SSO is an authentication method that allows users to access Salesforce using credentials from an external identity provider. These notifications help administrators maintain uninterrupted service by replacing certificates before they expire.

What is A Certificate Authority (CA)?

A Certificate Authority (CA) is a trusted entity that issues digital certificates to verify the authenticity of secure communications. In Salesforce, CAs play a key role in ensuring secure, encrypted connections between clients, integrations, and Salesforce services

Notification Schedule

Certificate expiration notifications are sent at the following intervals:

  • 60 days before expiry
  • 30 days before expiry
  • 10 days before expiry
  • Day of expiry

Who Receives Notifications

Notifications are sent to users with the following Salesforce permissions:

  • Modify All Data permission
  • View Setup and Configuration profile permission
  • All System Administrators

Note: Restricting certificate expiration notification emails to specific users is currently an Idea on the Salesforce IdeaExchange. See "Limit Who Receives Notifications About Certificate Expiration for the latest update"

Løsning

Resolution Overview

Self-signed certificates are commonly used for Single Sign-On (SSO) settings in the 'Request Signing Certificate' or 'Assertion Decryption Certificate' field, or for callouts to external sites for client authentication. A CA-signed (Certificate Authority-signed) certificate is used to prove that your org's data communications are genuine.

If you receive this notification, open the Salesforce org mentioned and navigate to Setup | Security | Certificate and Key Management. The certificate name in this list matches the name provided in the notification.

Step 1: Identify Where the Certificate Is Used

Before replacing the certificate, identify where it is currently being used in your Salesforce org:

  1. Navigate to Setup
  2. In Quick Find, search for Certificate and Key Management and click the result
  3. Click on the name of the certificate in question
  4. If the Delete button is greyed out, the certificate is currently in use. Hover over the Delete button to see where it is being used

Step 2: Replace the Certificate Based on Its Usage

Depending on how the expiring certificate is used in your Salesforce org, follow the appropriate steps below:

Single Sign-On (SSO)

The certificate may be used as the "Request Signing Certificate" for an SSO setting. Follow these steps to resolve:

  1. Review "How to Remove Expired Self-Signed Certificate"  (YouTube video)
  2. Generate a new certificate using Generate a Self-Signed Certificate
  3. Update the SSO setting to reference the new certificate

Connected Apps

The certificate may be used in a Connected App configuration, such as for OAuth SSO setup. Update the Connected App to use a new, valid certificate. See the Trailhead example for guidance .

Identity Provider

The Identity Provider feature was enabled by default in many Salesforce orgs, which automatically creates a self-signed certificate. If you are not actively using the Identity Provider feature:

  • Consider deactivating the Identity Provider feature to avoid maintaining this certificate going forward
  • If you are using the Identity Provider feature, replace the certificate with a new one and update the Identity Provider settings

Apex Callouts (External HTTP Callouts)

If the certificate is used for callouts to external sites via custom Apex code:

  • For 2-Way SSL callouts: Review and update the certificate details in the Apex code. See  Using Certificate for details on implementing 2-Way SSL.
  • For non-2-Way SSL callouts: Certificates within the org are not used, so no action is required.
  • If unsure: Retrieve the Apex code from your org and search for the name of the expiring certificate to identify usages.

Step 3: Delete the Expired Certificate (If No Longer Needed)

Once the expiring certificate has been replaced in all locations, the old certificate should show a Del link next to its name in Certificate and Key Management. Click this link to delete the expired certificate.

Related Articles: 

Salesforce Identity Provider Feature
Generate a Self-Signed Certificate
Generate a Certificate Signed by a Certificate Authority 
Limit Who Receives Notifications About Certificate Expiration

Salesforce Support YouTube video

How to Remove Expired Self-Signed Certificate

 

Vidensartikelnummer

000385781

 
Indlæser
Salesforce Help | Article