When you receive an email form Salesforce telling you a certificate is about to expire, you can see that the communication mentions the concerned instance either in the email subject (Sandbox is mentioned) and in the email body.
Here are the actions asked by Salesforce to take care of it (copied from Salesforce kind reminder) :
1. In Setup, on the Certificate and Key Management page, download the expiring certificate. Save it in case you require access to its key in the future.
2. Generate a new self-signed or CA-signed certificate.
3. Update connections to external sites or other services with your new certificate.
4. When your new certificate is tested and in use, delete the old certificate.
About the certification backup, do not hesitate to create a directory in your company’s SharePoint, just to avoid to lose track of them. You should normally never use these backups, but you never know 🙂
First, you have to create a brand new self-signed certificate. To do so, please go to go to Setup > Certificate and Key Management > Create Self-Signed Certificate
You need then to update all connected apps or SSO settings, that were using the ‘soon to be expired’ self-signed certificate, to make them use the newly created one.
Once done, go to Setup > Certificate and Key Management to navigate towards the ‘soon to be expired’ self-signed certificate, to delete it… or at least try to do so 😉
Just get your cursor above the Delete button, which is grayed out, and you will know where your certificate is still used. As you can see in the screenshot below, the system mentions in the contextual information, the place where the certificate is still used.
Here, we may see that we forgot to reconfigure a SSO Setting using this « soon to be expired » certificate.
In this case navigate to your Single Sign-On settings, in your instance setup, edit your SSO configuration, check the Request Signing Certificate, and update it to the most recent certificate.
The certificate can now be deleted (the button is not grayed anymore) :
I would suggest not to delete your certificate right after this operation, but to wait for a week, or at least a couple of business days, to be sure there has been no impact, before deleting it eventually.
Do not forget to
- test your SSO login before ending your task !
- monitor the Identity Provider Event Log (in the setup) to validate that the certificate update has not generated any issue.
To read more on the subject :
- Salesforce help : Error ‘You have one or more certificates in your Salesforce org that will expire soon’
- Salesforce Support video resource : How to Remove Expired Self-Signed Certificate | Salesforce Platform