“Error: Certificates in your Salesforce org will expire soon”. Have you received this email and not sure what it means? Likewise, wondering what will happen if you do nothing? Or, have you simply seen it as spam and consequently forgotten about it. Or ignored it for too long and as a result something has stopped working?
Firstly, there is no need to panic! Salesforce certificates and key pairs are used for signatures to verify that a request is coming from your org. Above all, they are used for authenticated SSL communications with an external web site, or if you use your org as an Identity Provider for one or more service providers. Therefore, you only need to generate a Salesforce certificate and key pair if you’re working with an external website. This is so it can verify that a request is coming from a Salesforce organisation.
Generally, this is a straight forward update. You will need to delete the certificate of an app if the app is no longer in use. Additionally, if your org is not using Identity Provider and its certificate, it is ok to delete. This is supplied by default to all orgs. Otherwise, you will need to create a new certificate and update any apps that require the key.
So, in this blog, we will discuss Identity Provider certificate notifications. This is the most common question we get asked. So we’ll concentrate on the steps to create a new certificate, as well as how to update the app using it and how to delete a certificate you no longer use.
Create a New Certificate and Update App in your Salesforce org
Step 1: Find Certificate
Multiple users may receive the email notification. However, System Administrator permissions are required to update or remove certificates. From Setup:
- Search ‘certificate’ in the Quick Find box. Alternatively, locate the ‘Security’ folder. Select the ‘Certificate and Key Management’ option.
- Click on ‘Certificate and Key Management’.
- Click on the Label name. This opens the details of the Certificate and Key.
Step 2: Create new Certificate
- Copy the Label information of the certificate which is expiring (or has expired) on the Certificate and Key Detail screen.
- Next, go back to the Certificate and Key Management page. Click ‘Create Self-Signed Certification’.
- Paste the old Label name. Update the name using a similar naming convention to the expiring Certificate label. For example, the type of certificate it is, the date, month and year of expiry. The unique name should auto-populate. They can only contain underscores and alphanumeric characters. In addition, you can also define whether the key can be exported and key size. (We recommend you leave these as default).
Once completed, click the Save button.
Step 3: Update the Appropriate App with the new Certification Key
- Type ‘Identity’ in the Quick Find box to update the ‘Identity Provider’ settings.
- Click on ‘Identity Provider‘. You will see the expired certificate is in use under the ‘Currently Chosen Certificate Details’.
- Select ‘Edit’. From the drop-down list select the certificate you have just created. Then click Save.
- You will see this has updated to the new certificate.
Step 4: Delete the Previous Certificate
Firstly, head back to step 1. Navigate to the ‘Certificate and Key Management‘ screen. You will now see the delete option. Delete the certificate. This is an important step. It ensures no other email notifications for this certificate are sent.
Delete an Expiring Certificate in your Salesforce org
You can delete the certificate of the app for which it was created if it’s not needed.
Step 1: Find the Expired Self-Signed Certificate
- Search ‘certificate’ in the Quick Find box. Alternatively, locate the ‘Security’ folder and select the ‘Certificate and Key Management’ option.
- Click on ‘Certificate and Key Management’. Find the Self-Signed certificate you want to delete. If there is no ‘Del’ option, click on the certificate label name.
- Hover the mouse over the Delete button. A message box will appear saying this certificate is in use in your Identity Provider.
Step Two: Find the Identity Provider
- Click on ‘Setup’. In the Quick Find box type ‘Identity’. Click on ‘Identity Provider’.
- Double check that the ‘Identity Provider Label’ name matches that of your Certificate name.
- Check if any Service Providers are using this certification by scrolling to the bottom. It should say ‘No Service Providers’. This indicates you are not using the Single Sign-On certificate feature.
- Disable the Identity Provider. Note: if users are logging into a provider via Salesforce and you disable an Identity Provider, the users will need their username and password to log into those providers.
Step Three: Delete the Certificate
- Go back to the certificate. Go to ‘Setup’. In the Quick find box lookup ‘Certificate’. Click on the self-signed certificate you want to delete. The button will now be available to use.
- The certificate is now deleted and you will no longer receive email notifications.
If you need any more help, remember you can always get in touch!