Certificate and Key Management is the Setup page for managing certificates used in SAML SSO, mutual TLS authentication, JWT signing, and other crypto-heavy integrations. Generate self-signed certs, upload CA-signed certs, view expiration dates. Renew before expiration to avoid breakage.
- Open Setup → Certificate and Key Management
Setup gear → Quick Find: Certificate → Certificate and Key Management.
- Review the list of certificates
Each row: Label, Unique Name, Type (Self-Signed / CA-Signed), Expiration Date, Active.
- Click Create Self-Signed Certificate (for internal use)
Wizard sets Label, Unique Name, Key Size (2048 / 4096), Expiration. Self-signed is fine for SAML SSO between trusted systems.
- For CA-signed: Upload Certificate
Generate a CSR via Salesforce → submit to your CA → upload the signed certificate file.
- Set as Active for the relevant integration
Certificate is now usable. Reference from Auth. Providers, Single Sign-On Settings, Named Credentials, etc.
- Monitor expiration
Salesforce sends emails ~60 days before expiration. Renew before the date — expired certs break every integration referencing them.
Generate in Setup. No external CA. Fine for internal trust relationships.
Generate CSR → submit to CA → upload signed cert. Required for some external integrations.
2048-bit (default, recommended) / 4096-bit (stronger, slower). Most TLS connections accept either.
1 year default. Some CAs allow up to 3 years.
- Expired certificates break every integration referencing them — SAML SSO logins, mutual-TLS API calls, JWT tokens. Set calendar reminders 60+ days before expiration.
- Self-signed certificates are not trusted by default by external systems. For mutual-TLS to a third-party API, you usually need CA-signed certs.
- Renewing a certificate requires updating every external system that has the public key. Schedule renewal as a coordinated change.