+ Start a Discussion
Nidish G 6Nidish G 6 

You have one or more certificates in your Salesforce org that will expire soon.

Hello All,

I have received an email from Salesforce stating "You have one or more certificates in your Salesforce org Celigo, Inc 00D30000000LHK8 that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.

   - SelfSignedCert_10Apr2020_011042, Self-Signed, expires on 4/10/2021. Warning: This certificate will expire in 30 day(s)."

What actions should I take as an Admin to check if we have used this certificate anywhere in our org.?
How to check if we have used this certificate in our org?
Is this certificate used in custom domains?
What actions should be taken if this certificate is not used anywhere?

VinayVinay (Salesforce Developers) 
Hi Nidish,

elf-signed certificates are commonly used for Single Sign-On settings (in 'Request Signing Certificate' or 'Assertion Decryption Certificate' field) or callouts to external sites (for client authentication). A certificate authority-signed (CA-signed) certificate is then used to prove that your org’s data communications are genuine.

Review below link for more details and steps.


Hope above information was helpful.

Please mark as Best Answer so that it can help others in the future.

ANUTEJANUTEJ (Salesforce Developers) 
Hi Nidhi,

> https://help.salesforce.com/articleView?id=000329338&type=1&mode=1

Above article has the steps you need to perform when you receive this kind of notification.

I am adding the below information for quick reference along with similar questions:

Similar questions:
>> https://developer.salesforce.com/forums/ForumsMain?id=9062I000000IVZQ
>> https://developer.salesforce.com/forums/ForumsMain?id=9062I000000Xt1X

Information for quick reference:

Are you seeing the notification for Selfsigned or CA-signed certificate? The below details should help you get started:

1. The reason you have received the email was that, if any certificate was to expire in the upcoming days/months, then Salesforce has a inbuilt functionality that sends certificate expiry notifications at 60-day mark, 30-day mark, 10-day mark and day of expiry.

2. After the certificate has expired, on the certificate and key management page, it would come up as:
"There is 1 expired certificate." - As a warning message.
"You've created 0 non-expired certificates out of a limit of 50." - As a general message.

3.You need to make the following checks to ensure the existing functionality doesn't break due to an expired certificate:

> Single Sign-On settings -Check your Single sign-on setting(from the setup menu) and see that you are not using the certificate over there.

> Identity Provider Settings - If you are using this certificate, logs would be generated in the "Identity Provider Event Log"

> Connected app - Open the connected app and see if the certificate is provided as any IDP certificate

> Web service callout - You need to find out if you are using this certificate within your Integration as a client certificate; if yes, then you need to share this updated certificate with your Server(3rd party integration) team so that they can replace the old certificate with the new one. Your Integration team(or Developers) would know more details on this.

>In the certificate and key management settings, check if the certificated is listed under "API client certificate".If yes, it is being used in your code somewhere.

4. Steps to renew the certificate:
Login into the Salesforce Org > Setup > Certificate and Key Management > Click on Create Self-Signed Certificate button > Give the Label and hit Save button.

5. Also please follow the related article to create the new Self-Signed Certificate

CA-signed certificate:

Let me know if it helps you and close your query by marking it as solved so that it can help others in the future.