Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Salesforce Certificate and Key Pair entry
How-to guide

Create a self-signed certificate and key pair

Generate a self-signed certificate and key pair in your org so you can sign assertions or authenticate callouts. From Setup, open Certificate and Key Management, then choose Create Self-Signed Certificate.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Generate a self-signed certificate and key pair in your org so you can sign assertions or authenticate callouts. From Setup, open Certificate and Key Management, then choose Create Self-Signed Certificate.

  1. Open Certificate and Key Management

    In Setup, type Certificate and Key Management in Quick Find and open the page. Click Create Self-Signed Certificate to start a new certificate record.

  2. Name the certificate

    Enter a Label that humans will recognize. The Unique Name fills in automatically and becomes the API name that Apex, named credentials, and the Metadata API use to reference this certificate.

  3. Choose the key size

    Pick 2048 or 3072 bit for a one-year certificate, or 4096 bit for a two-year certificate. Remember that you cannot change the key size after you save.

  4. Decide on key export

    Leave Exportable Private Key unchecked to keep the key locked inside Salesforce. Check it only if an external system must hold the same private key in its own keystore.

  5. Save and put it to work

    Save the record. Salesforce generates the pair and you can now select this certificate in SAML settings, identity provider config, named credentials, or callout setup, and download the public certificate to share.

Mandatory fields
Labelrequired

A readable display name for the certificate shown across Setup.

Unique Namerequired

The API name, auto-derived from the label, used to reference the certificate in code and metadata.

Key Sizerequired

The strength of the key, either 2048, 3072, or 4096 bit, fixed once the record is saved.

Exportable Private Keyrequired

A checkbox that decides whether the private key can ever be exported from the org.

Gotchas
  • You cannot change a certificate type or key size after saving, so a wrong choice means creating a new certificate and reconfiguring everything that referenced the old one.
  • A 2048-bit or 3072-bit certificate expires after one year and a 4096-bit certificate after two years; an expired certificate breaks every integration that uses it.
  • Enabling Exportable Private Key weakens your security posture, because the secret can then leave the platform; leave it off unless an external keystore truly needs the key.
  • Shield Platform Encryption Bring Your Own Key requires a 4096-bit RSA certificate, so a smaller key will not work for that use case.

See the full Salesforce Certificate and Key Pair entry

Salesforce Certificate and Key Pair includes the definition, worked example, deep dive, related terms, and a quiz.