Certificates in Salesforce
Understand how certificates are used in Salesforce and how they expire. To prevent disruption and potential downtime, replace your certificates before they expire. An expired certificate makes processes that reference it untrustworthy, which can lead to outages.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: all editions |
Certificate Compliance and Expiration
Salesforce complies with the guidance of the Certification Authority Browser Forum (CA/Browser Forum), the organization that sets most of Web Public Key Infrastructure (WebPKI) rules. Salesforce adheres to their Transport Layer Security (TLS) Server Baseline Requirements, which change regularly. These requirements are outside of Salesforce control, and all certificate vendors are bound by the rules of the CA/Browser Forum.
The CA/BF has implemented a phased approach to shortening the maximum allowed certificate lifespan.
- Until March 15, 2026, the maximum lifespan is 398 days.
- As of March 15, 2026, the maximum lifespan is 200 days.
- As of March 15, 2027, the maximum lifespan is 100 days.
- As of March 15, 2029, the maximum lifespan is 47 days.
These maximum lifespans apply at the time of certificate creation. For example, the latest possible expiration date of a TLS certificate created on June 1, 2025 is July 4, 2026. But the latest possible expiration date of a TLS certificate created on June 1, 2026 is December 18, 2026.
Because Salesforce complies with the guidance of the Certification Authority Browser Forum (CA/Browser Forum), these maximum TLS certificate lifespans apply to certificates created in Salesforce.
Currently, when you create a certificate in Salesforce, that certificate expires after one year. Watch the Salesforce release notes for the timing of when the maximum lifespan of a new TLS certificate changes.
To receive notifications about upcoming expirations for certificates stored in your org, assign the Expired Certificate Notification permission to specific admins. See Set Expired Certificate Notification Permission. Those notifications apply to certificates that are stored in your org, not Salesforce TLS certificates.
Salesforce Certificates
To deliver a trustworthy experience, Salesforce uses High Availability (HA), Disaster Recovery (DR), load balancing, and auto-scaling technologies. This approach means that certificates are ordered and provisioned as needed. Hyperforce services already implement this strategy.
Salesforce typically rotates the certificates it provides at least 45 days before they expire, though a certificate might be rotated by the platform sooner.
Salesforce Features that Use Certificates
In Salesforce, certificates are used for encryption in transit, for certificate-based authentication, and for some single sign-on options. You can also use a certificate that you own to serve a custom domain. If you use these features, prepare to update the related certificates according to the new cadence, as your certificate vendor is also bound by the CA/BF rules.
If you use a certificate stored in Salesforce to serve your custom domain, consider updating your custom domain to use the Salesforce CDN or a third-party CDN or service that manages certificates. The Salesforce CDN is available only for custom domains that serve an Experience Cloud site. Both configuration options reduce your effort to manage certificates with shorter lifespans.
TLS Certificate Cryptography
All certificates that Salesforce uses for TLS have these properties.
- Key parameter: RSA 2048 bit, RSA 3072 bit, RSA 4096 bit, ECDSA P-256 curve, ECDSA P-384 curve, or ECDSA P-521 curve
- Signature algorithm: SHA256, SHA384, or SHA512
Create the Required Root Certificate Pinset
The certificates Salesforce issues are intended for use with TLS. Salesforce guarantees that our issued certificates chain to a root certificate authority (CA) on the Mozilla Server Authentication (SSL/TLS) Root Certificates List. To support TLS in Salesforce, create a pinset that contains all those root CAs.
Don't Pin Other Certificates
Certificate pinning is the practice of selecting a single certificate or set of certificates to trust that aren’t Root CAs. Pinning is an outdated security practice that adds operational complexity, can cause outages when the pinned certificate expires, and can cause outages when you use a new certificate that's not part of the pinset. Outage risks increase as the maximum lifespan for a TLS certificate decreases.
In line with OWASP’s guidance on Certificate and Public Key Pinning, Salesforce strongly recommends against certificate pinning.
Certificate pinning isn’t supported in Hyperforce or for Marketing Cloud Engagement customers. And if you pin the authentication certificate for the Salesforce mobile app, users can’t log in after a certificate is rotated until you update the app or the user reinstalls the app.
Although Salesforce strongly advises against certificate pinning, we recognize that some customers pin certificates for orgs in first-party (1P) data centers. For those customers, Salesforce announces upcoming certificate changes only for production orgs in 1P data centers. If your org isn’t on Hyperforce yet, you can receive those notifications via the Certificate Changes Trailblazer Community group. If you pin certificates, we encourage you to stop that practice as soon as possible.
Automate Certificate Rotation
To create and update self-signed and Certificate Authority (CA)-signed certificates in Salesforce, use the Certificate Metadata API type.
