Salesforce Certificate Lifespan Changes Explained
Changes are coming to Salesforce that require your attention. If ignored, you risk your external systems failing to connect to Salesforce, potentially causing downtime for your integrations or custom sites.
What is a Certificate?
Certificates are the digital “passports” of the internet. They prove that your Salesforce org is who it says it is. Within Salesforce, certificates are used for:
- Encryption and Authentication: Securing the “handshake” between Salesforce and external systems.
- Single Sign-On (SSO): Authenticating users logging in via external identity providers.
- Custom Domains: Serving a branded URL (like help.yourcompany.com) for an Experience Cloud site.
What is Changing?
Historically, the industry standard for a certificate’s lifespan was one year (398 days). However, to increase global security, the CA/Browser Forum is mandating much shorter lifespans. Salesforce is following a phased approach for all new certificates based on their creation date:
Now: ~13 months (398 days)
March 2026: ~6.5 months (200 days)
March 2027: ~3 months (100 days)
March 2029: ~1.5 months (47 days)
Note: These rules only apply to CA-signed certificates (those signed by authorities like DigiCert). Self-signed certificates—often used for internal SSO or private integrations—are exempt from this specific change.
Why Does This Matter to You?
The biggest impact is renewal frequency. By 2029, you will be renewing your certificates roughly 8 times a year instead of just once. If you manage these manually via spreadsheets or calendar invites, the risk of a “oops, I forgot” outage increases significantly.
Your Admin Action Plan
Here is how to prepare your org today:
1. Audit Your “Certificate and Key Management”
Navigate to Setup > Certificate and Key Management. Look at the “Expiration” column. Identify which certificates are CA-signed and note their current expiration dates. These aren’t changing yet, but they represent your future workload.
2. Enable “Safety Net” Notifications
Don’t rely on your memory. Salesforce can alert you when a certificate is nearing its end. Assign the “Expired Certificate Notification” permission to yourself and at least one other Admin, and Salesforce will automatically remind you when certificates are nearing expiry.
3. Start the “Automation” Conversation
As we move toward a 47-day lifespan, manual updates will become unsustainable.
- For Experience Cloud: Look into serving your custom domain with the Salesforce CDN, which will automatically manage the certificates for you.
- For Integrations: Speak with your IT or Security team about automated Certificate Lifecycle Management (CLM) tools that can interface with Salesforce via API.
Conclusion
The transition to shorter certificate lifespans is a fundamental shift in how we maintain secure orgs. By auditing your certificates now and enabling proactive notifications, you’ll ensure your connections stay secure and your “handshakes” stay firm.
