Granular Control of Certificates with the New Manage Certificates Permission

The Manage Certificates permission lets you separate certificate management from the other security functions. The Manage Certificates permission, which allows you to create, edit, delete, upload, or download certificates, is now enabled by default in the System Administrator profile. However, you don’t need the System Administrator profile to get the Manage Certificates permission. This change applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce1 mobile app.

The Manage Certificates permission is separate from, and not coupled to, the Manage Encryption Keys permission. This is helpful if you want an admin to be able to manage certificates, but not manage encryption keys. The person in charge of your tenant secrets still needs both permissions to generate the HSM-protected Certificates in the BYOK process.