Custom Blog Image
Admin, Salesforce

What is Certificate and Key Management in Salesforce

December 29, 2025
What Is Certificate and Key Management in Salesforce

If you’ve ever worked with Salesforce integrations, single sign-on, or encrypted fields, someone eventually asks — what is certificate and key management in Salesforce and why do admins need to care?

What Is Certificate and Key Management in Salesforce?

Here’s the simplest way to understand it: certificates are like digital trust badges. They prove to another system that the request actually came from your Salesforce org. Without them, systems can’t trust each other, and an integration that worked yesterday might suddenly stop today.

Salesforce uses certificates and keys for secure communication, encryption, identity verification, and preventing impersonation attacks — all of which matter even more as businesses depend heavily on automation and API-driven architecture.

When Salesforce exchanges data with:

  • Banking systems
  • Government systems
  • Payment gateways
  • External APIs
  • Single sign-on platforms

It must prove identity before the data is accepted. Certificates handle this silently in the background.

Salesforce certificate verification

Automatic vs Admin-Managed Certificates

Salesforce automatically rotates platform-managed certificates, usually about 45 days before they expire, so you never have to worry about them. However, certificates that you upload or generate yourself for things like API integrations, Experience Cloud, or SSO need manual monitoring and renewal. If those certificates expire, the integration can stop working immediately.

Certificate Expiration Rules are Changing

Salesforce follows the CA/Browser Forum, which sets global certificate rules. Lifespans are getting shorter:

Created Until Maximum Validity
March 2026 398 days
March 2027 200 days
March 2029 47 days

Shorter expiry = faster renewal cycles = higher admin responsibility.

This is one reason Salesforce advises automation where possible.

Types of certificates in Salesforce certificate and key management

Self-Signed Certificates in Salesforce certificate management

Salesforce generates these internally. They work well when the external system is happy trusting your certificate directly.

When is it enough?

  • Internal automation
  • Trusted partner APIs
  • Simple test environments

Creating a self-signed certificate Creating a self-signed certificate in Salesforce

Using CA-Signed Certificates as part of Salesforce key management

These are signed by trusted authorities like DigiCert, GlobalSign, or Let’s Encrypt. They carry higher credibility.

Use CA-signed certificates when:

  • Integration partner demands it
  • Banking or government compliance applies
  • Using Bring Your Own Key encryption

Generating a CA-signed certificate in Salesforce for secure integrations Generating a CA-signed certificate in Salesforce for secure integrations

How Mutual Authentication Fits into Certificate and Key Management in Salesforce?

In regular authentication, only Salesforce proves its identity. In mutual authentication, both systems prove who they are. Admins upload a mutual authentication certificate and require the connection to pass through port 8443.

Mutual authentication handshake between Salesforce and an external system

TLS Cryptography — Compatibility Matters

Salesforce uses modern cryptography standards:

  • RSA 2048, 3072, 4096 bit
  • ECDSA P-256, P-384, P-521
  • SHA-256 / SHA-384 / SHA-512

If your partner system uses very old Java or SAP frameworks, strong encryption may fail. A simple version upgrade is often required.

Exporting and importing keystore files in Salesforce certificate management

Salesforce lets you export all your certificates and private keys in JKS format to reuse in other orgs.

Most upload errors happen because of:

  • Missing private key
  • Wrong key type
  • Key bit size not supported
  • Certificate chain not valid

Master Encryption Keys

Encrypted fields like ID numbers and credit cards rely on master encryption keys.

Admins can:

  • Archive keys
  • Replace keys
  • Export keys for backup
  • Delete keys (dangerous)
  • Re-import when needed

If a key is deleted without backup, data encrypted by that key is unrecoverable.

Receiving Expiry Notifications

To avoid clutter, Salesforce lets you limit who receives alert emails using the permission:

Admins with this permission get:

  • 60-day warning
  • 30-day warning
  • 10-day warning

All other admins only get notified the day before expiry.

Managing Expired Certificates as Part of Certificate and Key Management in Salesforce

Before deleting a certificate:

  • Check API integrations
  • Check Identity Provider settings
  • Replace it BEFORE deleting it

If the certificate was used for SSO, users must log in with username/password until reassigned to a new certificate.

FAQs

1. What is certificate and key management in Salesforce?

It refers to the process of creating, managing, renewing, replacing, importing, exporting, and deleting digital certificates and encryption keys that Salesforce uses to verify identity, encrypt data in transit, and support secure integrations such as SSO, HTTPS, and API callouts.

2. Why do certificates expire in Salesforce?

Certificates expire due to global security standards set by the CA/Browser Forum, which reduces certificate lifespan over time. Expiring certificates force organizations to replace keys regularly, reducing the chances of stolen certificates being misused indefinitely.

3. What happens if a certificate expires and isn’t replaced?

Integrations that depend on the certificate stop working immediately. This can affect SSO, API callouts, mutual authentication, or Experience Cloud sites. That’s why Salesforce sends expiration notifications.

4. What is the difference between a self-signed certificate and a CA-signed certificate?

A self-signed certificate is generated and trusted internally within Salesforce. A CA-signed certificate is validated by a trusted third-party Certificate Authority and used when partners or external systems require stronger identity verification.

5. Can Salesforce automatically rotate certificates?

Salesforce automatically rotates platform-managed certificates, but any certificate created or uploaded by your organization must be tracked and rotated by your admins.

6. What formats does Salesforce accept for certificate import?

Salesforce supports JKS keystore files for export/import, and BCFKS format for Government Cloud. Keys must match supported bit sizes and formats.

7. How do I know which certificate my SSO uses?

Navigate to Identity Provider settings in Setup and check the certificate assigned to the SSO configuration. Replace it before deletion to avoid login issues.

Also Read – Salesforce Spring ’26 Release Updates For Admins

Conclusion

Certificate and Key Management in Salesforce is the foundation of secure communication and trusted integrations. It involves the secure creation, monitoring, rotation, and management of certificates and encryption keys to protect sensitive data, verify identities, maintain uninterrupted integrations, and prevent unauthorized system access.

Whether you’re working with API callouts, Single Sign-On (SSO), or encrypted fields, certificates operate quietly in the background—ensuring security, stability, and trust across your Salesforce ecosystem.

Get a complete Roadmap To Learn Salesforce Admin and Development👇

Share Now

Leave a Reply

Your email address will not be published. Required fields are marked *