A little while back, one of our Salesforce ISV Partner clients forwarded an email they received about one of their orgs and an expiring certificate.


Subject: SFDC Expiring Certificate Notification

You have one or more certificates in your Salesforce org [Org Name][Org ID] that will expire soon. Please review the list below and visit Certificate and Key Management from Setup to make an update.

That sounds important.  Indeed, if an org is used as an Identity Provider (IdP) or has external systems that require certificates to function, then it is important.  In those cases, you generate a new certificate, update all involved systems, and you should be good to go.

In this case, however, the org did not have external dependencies on a certificate.  No one on our team or the client’s team knew why this expiring certificate existed at all.  Since it was almost two years old, the Setup Audit Trail did not go back far enough to provide context around when it was added.  The org is in production use, so simply waiting to see what broke when the certificate expired was not an acceptable option.

We had one clue to go on…  the timing of the certificate creation roughly corresponded to when ISV Partner tools were installed in the org (LMA, COA, and Environment Hub).  We raised a case with Support to ask if any of those required a certificate, but we were told none did.

On a hunch, we checked the Setup Audit Trail of a relatively new org that had the Environment Hub installed.  We found that a certificate was created as one of several steps executed by “Automated Process” when the Environment Hub was installed.  After looking at several other Environment Hub orgs, all of which had a self-signed certificate, it appeared we had found the culprit.

Soon enough, the expiration date for the certificate arrived.  After it passed, we immediately tested the org applications and the Environment Hub functionality.  Everything worked fine.

It appears that creating a self-signed certificate is part of the Environment Hub automated setup process.  It may be that this was required in the early days of the Environment Hub but not anymore, or it may be required for a feature of the Environment Hub that we are not utilizing.  Regardless, always follow the golden rule for production environments…  test, test, test, then test again.

If you find or know about an Environment Hub feature that requires a certificate, please post a comment and we’ll update this article.

Our teams are here to help you navigate all the ins and outs of the AppExchange. Learn more at www.codescience.com/services.