Apex Code Development You need to sign in to do that
Don't have an account?
Paul Tangusso Certificate Expiration - How to Find / Handle?
Hi All.
We received the following (see below) certificate expiration notice but when I look for this in our Certificate and Key Management section, within Setup, I am NOT able to find any such certificate with this Expiration Date. Should I be looking elsewhere?
Thank you for your time and advice.
"You have one or more certificates in your Salesforce org Navin, Haffty & Associates 00D2E000000no3I that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.
- SelfSignedCert_15Apr2019_184313, Self-Signed, expires on 4/15/2020. Warning: This certificate will expire in 30 day(s)."
We received the following (see below) certificate expiration notice but when I look for this in our Certificate and Key Management section, within Setup, I am NOT able to find any such certificate with this Expiration Date. Should I be looking elsewhere?
Thank you for your time and advice.
"You have one or more certificates in your Salesforce org Navin, Haffty & Associates 00D2E000000no3I that will expire soon. Review the list below and visit Certificate and Key Management from Setup to make an update.
- SelfSignedCert_15Apr2019_184313, Self-Signed, expires on 4/15/2020. Warning: This certificate will expire in 30 day(s)."
Self-signed certificates are automatically created when Salesforce as Identity Provider feature is enabled. This feature requires a certificate to be connected for the feature to be enabled. If you have no records under the "Service Provider" section, you are not using the feature.
These self-signed certificates can possibly be used as
a) 'Request Signing Certificate' in 'SAML Single Sign-On Settings'
b) under 'Identity Provider' as Identity Provider certificate
c) client certificate in 2-way SSL in apex callouts
For a), i.e. Single Sign On settings, you need to reviewe your SAML single sign on settings and check if this certificate is being used or not
For b), i.e. Identity Provider (Setup | Identity Provider) You need to check if you have any records under the "Service Provider" section. If there are not records, you are not using the feature. Request you to kindly review your connected apps to confirm this (More information below)
For c) Apex callouts, Login to your org and see if you have anything under Setup>> Remote Site Settings. If you do not see anything, there should not be any apex that is using this
One quick way to verify this is to see if any of your apex code has following code
stub.clientCertName_x = 'Certificate_Name';
OR
httpReq.setClientCertificateName('Certificate_Name');
There is a public facing article explaining how to handle expiring certificate notifications if you want to learn more
https://help.salesforce.com/articleView?id=000231048&type=1
To summarize depending on your situation, the expired certificate must be replaced in the following places to fix this
1. Single Sign On settings (Confirm that expiring certificate is not being used here)
2. Connected apps(Review your connected apps to see if are using the expiring certificate anywhere)
3. IDP (Check with your IDP to see if they are using this certificate anywhere)
When you are reviewing your connected apps, check for SAML enabled connected apps. If you don't have any connected apps that is using this certificate we should be good
Once you confirm that your org is not using the Identify Provider feature, you can go ahead and disable the Identity Provider feature and you will able to delete the certificate from the Org. If you choose to disable the option of using Salesforce as an Identity Provider entirely, this will remove the need for the certificate and prevent future expiration messages.
Make sure you are looking at certificate and key management section in the org with Id 00D2E000000no3I (Note: The org Id changes if the org is refreshed). If you are still unable to locate the certificate, please raise a case with Salesforce support
Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. Thank you!
Anudeep
Thank you kindly for the detailed reply - much appreciated.
I will need to review all of the areas you have referenced. As mentioned perviously I have logged into all three of our orgs (Partial and Full Sandbox and Production) and none of these match the org Id referenced. It is not clear to me if Salesforce would send this notice only for a Production org or would it also generate the notice for Sandbox orgs as well - only Sandbox orgs would have been refreshed?
I took a look at our SAML settings and can confirm that SAML is NOT enabled (not used).
Our Identify Provider settings show a single certificate but that certificate expires on 6/28/20 - not 4/5/20 as he notice references.
We also appear to NOT have any SAML enabled connected apps.
So, not sure how to interpret the notice received since some of the features you mentioned are not enabled in our orgs and, where there is a certificate, it has a totally different expiration date. In addition, none of our orgs contain the id referenced in the notice and if it references a refreshed Sandbox org then I'm not sure I need to pay attention to it since our Sandbox orgs have limited use.
Not sure, based on my response, if you have any additional comments.
Thank you again for your time and assistance.
Paul
It appears you are receiving the certificate expiring error message from your org with Id 00D2E000000no3I which is on NA91 instance
There is a Self-signed certificate "SelfSignedCert_15Apr2019_184313" that is going to expire in 27 days from now - 4/15/2020
Self signed certificate can be used in below places :
1> Single Sign-On settings - You do not have any SAML Single Sign-On setting so you are not using the self-signed certificate over here
2> Identity Provider Setting - I see that you are using this Self-signed certificate over here so you can replace with the new certificate once it is created
3> Connected app - I see that you do not have any connected apps so there is no usage of certificate here
4> Web service callout - You need to find out if you are using this certificate within your Integration as client certificate; if yes, then you need to share this updated certificate with your Server(3rd party integration) team. Your Integration team(or Developers) would know more details on this.
You can follow the below steps in order to resolve the Salesforce expired certificate issue :
===========================================================================================
1. Go to Setup, and type “Certificate and Key Management” in the Quick Find search box.
2. In “Certificate and Key Management”, click on the “Create Self-Signed Certificate” button
3. Create a unique label for the certificate, leave 2048 as the default for Key Size, and Save
4. Go to Setup, and type “Identity Provider” in the “QuickFind Search Box”.
5. Click on the “Edit” button in the Identity Provider page
6. Select the new self-signed certificate from the drop down and Save.
7. Go to Setup, and type “Certificate and Key Management” in the “QuickFind Search Box”.
8. Delete the old certificate. If you didn't find the delete button enabled, Please check all the above mentioned components to replace with the new certificate.
Create new self-signed certificate : https://help.salesforce.com/apex/HTViewHelpDoc?id=security_keys_creating.htm&language=en_GB
Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. Thank you!
Anudeep