Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • IT Operations Management
Table of Contents
Choose your release version
    Home Orlando IT Operations Management IT Operations Management ITOM Visibility Discovery Certificate Inventory and Management

    Certificate Inventory and Management

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Certificate Inventory and Management

    The Certificate Inventory and Management application allows you to discover, take inventory of, and proactively manage all your TLS certificates.

    Benefits

    • Take inventory of all your TLS certificates
    • Keeps you informed of impending expirations
    • Creates certificate tasks via flows to renew expiring certificates
    • Creates incidents for already expired certificates
    • Prioritizes certificate importance
    • Helps you proactively manage your certificates
    • Helps you avoid manually tracking large volume of certificates
    • Prevents costly outages due to expired or expiring certificates

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release note information for all released apps, see the ServiceNow Store version history release notes.

    Requirements

    Make sure the ITOM Visibility [com.snc.itom.vis.license] plugin, Discovery [com.snc.discovery] plugin, and Configuration Management for Scoped Apps (CMDB) [com.snc.cmdb.scoped] plugin are installed and activated and that you have upgraded to Orlando or later. You can then download the Certificate Inventory and Management application from the ServiceNow Store.

    Note: The ServiceNow Store regularly releases new applications and updates to applications that are created by ServiceNow. If you already have the Certificate Inventory and Management application, you can download the latest version to enhance your existing experience with our products. Since different features are available or enhanced each time an application is released in the Store, the related content is indicated by version number in this document.

    How Certificate Inventory and Management works

    Certificate Inventory and Management allows Discovery to automatically scan for certificates on specific ports through your existing CI-based Discovery schedules. In addition, you can create new Discovery schedules to scan individual URLs.

    In Version 1.1.7 Certificate Inventory and Management, you can also scan for certificate authorities (CA) and import certificates from files.

    how it works V2
    Certificate Discovery reference information link Cert Discovery reference information

    The initial part of the process is different depending where the certificates are discovered from.

    • Discovery via Ports
      The port probe [tls_ssl_certs] automatically scans 14 default preauthorized ports.
      • Typical ports for SSL: 443, 8443, 9443, 636 (ldaps), 993 (imaps), 995 (popssl), 989, 990
      • StartTLS ports: 25 (smtp), 110, 143, 389, 21, 587 (smtp)

      As part of the CI Discovery process during Shazzam, the MID Server executes scanners to get the certificate chain information from the IP port number. It captures various certificate attributes and other data including certificate hierarchy. The MID Server transforms the certificates to an XML payload containing the certificate information and shares the XML payload with the instance. The Shazzam sensor on the instance picks up the ECC queue entry and adds a new record into the Discovered Certificate [sn_disco_certmgmt_certificate_history] table.

    • Discovery via URL

      The Certificate URL [sn_disco_certmgmt_cert_url] table holds a list of URLs to target for certificate discovery. Each record also has an optional reference to the Unique Certificate [cmdb_ci_certificate] table, to see what certificate is related to the given URL definition. The necessary parameters from the Discovery Schedule are combined to create and initialize the Discovery status. The [CertificateDiscoveryFromURLScan] probe discovers the certificate chain for each of the URLs in the batch and outputs an XML payload that contains the certificate chain for each certificate. It also adds a new record into the Discovered Certificate [sn_disco_certmgmt_certificate_history] table.

    • Discovery via Import Certificates (Version 1.1.7 Certificate Inventory and Management)
      The Import certificates are discovered using the pattern Import SSL Certificate, which uses the following:
      • Host name/IP on which the certificates are hosted
      • Folder in which certificates are present
      • TLS_keepOriginalCertificate: If the TLS_keepOriginalCertificate parameter is set to true, it will increase the payload size which can cause out-of-memory issues.
      • Mid_temp_folder: The folder on the MID Server where the files will be copied temporarily.
      Note: Auto-select MID Server option is NOT supported for Windows and Linux mid combinations. If the MID Server is used for storing the original certificates files, then Host name/IP should be set to blank or localhost and the particular MID Server should be selected for the Discovery schedule.
    • Discovery via CA authority (Version 1.1.7 Certificate Inventory and Management)

      Once the Certificate Inventory and Management credential is set up with either GoDaddy or DigiCert Certificate Authority and the Discovery schedule runs, the GoDaddy or DigiCert pattern makes REST API calls to (GoDaddy or DigiCert), collects certificate information, retrieves the list of certificates, and stores it in the [cmdb_ci_certificate], [certificate_domain], and [sys_attachment] tables.

      The following are arguments for GoDaddy and DigiCert patterns:

      • Start_offset: The offset position to read certificates from the CA authorities. The default value is 0.
      • Limit: The number of certificates to be read from the start_offset. The default value is 1500.
      • CredentialAlias: The Alias for the credentials of the CA.
      • If the TLS_keepOriginalCertificate parameter is set to true, then the certificate file is attached to the Certificate CI. This will increase the payload size and can cause out-of-memory issues.
    • From this point on, the process is the same.

      The Unique Certificate [cmdb_ci_certificate] and Installed Certificate [sn_disco_certmgmt_cmdb_installed_certificate] tables are then populated with the TLS certificate chains, signed by the certificate authority and root. After certificates have been discovered, a scheduled job automatically checks the Unique Certificate [cmdb_ci_certificate] table for expiring and expired certificates. Certificate tasks and incidents are then created and assigned. You can also manually request new certificates and renew certificates see Certificate Inventory and Management workflow for more information.

      To optimize system performance, a table cleaner automatically deletes old certificate records after a specified number of days from these two tables:
      • Discovered Certificate [sn_disco_certmgmt_certificate_history] table: older than 30 days
      • Installed Certificate [sn_disco_certmgmt_cmdb_installed_certificate] table: older than 90 days
    Note: You can toggle various behaviors related to Certificate Inventory and Management depending on your needs, using specific certificate properties as shown in Discovery properties.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Certificate Inventory and Management

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Certificate Inventory and Management

      The Certificate Inventory and Management application allows you to discover, take inventory of, and proactively manage all your TLS certificates.

      Benefits

      • Take inventory of all your TLS certificates
      • Keeps you informed of impending expirations
      • Creates certificate tasks via flows to renew expiring certificates
      • Creates incidents for already expired certificates
      • Prioritizes certificate importance
      • Helps you proactively manage your certificates
      • Helps you avoid manually tracking large volume of certificates
      • Prevents costly outages due to expired or expiring certificates

      Request apps on the Store

      Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release note information for all released apps, see the ServiceNow Store version history release notes.

      Requirements

      Make sure the ITOM Visibility [com.snc.itom.vis.license] plugin, Discovery [com.snc.discovery] plugin, and Configuration Management for Scoped Apps (CMDB) [com.snc.cmdb.scoped] plugin are installed and activated and that you have upgraded to Orlando or later. You can then download the Certificate Inventory and Management application from the ServiceNow Store.

      Note: The ServiceNow Store regularly releases new applications and updates to applications that are created by ServiceNow. If you already have the Certificate Inventory and Management application, you can download the latest version to enhance your existing experience with our products. Since different features are available or enhanced each time an application is released in the Store, the related content is indicated by version number in this document.

      How Certificate Inventory and Management works

      Certificate Inventory and Management allows Discovery to automatically scan for certificates on specific ports through your existing CI-based Discovery schedules. In addition, you can create new Discovery schedules to scan individual URLs.

      In Version 1.1.7 Certificate Inventory and Management, you can also scan for certificate authorities (CA) and import certificates from files.

      how it works V2
      Certificate Discovery reference information link Cert Discovery reference information

      The initial part of the process is different depending where the certificates are discovered from.

      • Discovery via Ports
        The port probe [tls_ssl_certs] automatically scans 14 default preauthorized ports.
        • Typical ports for SSL: 443, 8443, 9443, 636 (ldaps), 993 (imaps), 995 (popssl), 989, 990
        • StartTLS ports: 25 (smtp), 110, 143, 389, 21, 587 (smtp)

        As part of the CI Discovery process during Shazzam, the MID Server executes scanners to get the certificate chain information from the IP port number. It captures various certificate attributes and other data including certificate hierarchy. The MID Server transforms the certificates to an XML payload containing the certificate information and shares the XML payload with the instance. The Shazzam sensor on the instance picks up the ECC queue entry and adds a new record into the Discovered Certificate [sn_disco_certmgmt_certificate_history] table.

      • Discovery via URL

        The Certificate URL [sn_disco_certmgmt_cert_url] table holds a list of URLs to target for certificate discovery. Each record also has an optional reference to the Unique Certificate [cmdb_ci_certificate] table, to see what certificate is related to the given URL definition. The necessary parameters from the Discovery Schedule are combined to create and initialize the Discovery status. The [CertificateDiscoveryFromURLScan] probe discovers the certificate chain for each of the URLs in the batch and outputs an XML payload that contains the certificate chain for each certificate. It also adds a new record into the Discovered Certificate [sn_disco_certmgmt_certificate_history] table.

      • Discovery via Import Certificates (Version 1.1.7 Certificate Inventory and Management)
        The Import certificates are discovered using the pattern Import SSL Certificate, which uses the following:
        • Host name/IP on which the certificates are hosted
        • Folder in which certificates are present
        • TLS_keepOriginalCertificate: If the TLS_keepOriginalCertificate parameter is set to true, it will increase the payload size which can cause out-of-memory issues.
        • Mid_temp_folder: The folder on the MID Server where the files will be copied temporarily.
        Note: Auto-select MID Server option is NOT supported for Windows and Linux mid combinations. If the MID Server is used for storing the original certificates files, then Host name/IP should be set to blank or localhost and the particular MID Server should be selected for the Discovery schedule.
      • Discovery via CA authority (Version 1.1.7 Certificate Inventory and Management)

        Once the Certificate Inventory and Management credential is set up with either GoDaddy or DigiCert Certificate Authority and the Discovery schedule runs, the GoDaddy or DigiCert pattern makes REST API calls to (GoDaddy or DigiCert), collects certificate information, retrieves the list of certificates, and stores it in the [cmdb_ci_certificate], [certificate_domain], and [sys_attachment] tables.

        The following are arguments for GoDaddy and DigiCert patterns:

        • Start_offset: The offset position to read certificates from the CA authorities. The default value is 0.
        • Limit: The number of certificates to be read from the start_offset. The default value is 1500.
        • CredentialAlias: The Alias for the credentials of the CA.
        • If the TLS_keepOriginalCertificate parameter is set to true, then the certificate file is attached to the Certificate CI. This will increase the payload size and can cause out-of-memory issues.
      • From this point on, the process is the same.

        The Unique Certificate [cmdb_ci_certificate] and Installed Certificate [sn_disco_certmgmt_cmdb_installed_certificate] tables are then populated with the TLS certificate chains, signed by the certificate authority and root. After certificates have been discovered, a scheduled job automatically checks the Unique Certificate [cmdb_ci_certificate] table for expiring and expired certificates. Certificate tasks and incidents are then created and assigned. You can also manually request new certificates and renew certificates see Certificate Inventory and Management workflow for more information.

        To optimize system performance, a table cleaner automatically deletes old certificate records after a specified number of days from these two tables:
        • Discovered Certificate [sn_disco_certmgmt_certificate_history] table: older than 30 days
        • Installed Certificate [sn_disco_certmgmt_cmdb_installed_certificate] table: older than 90 days
      Note: You can toggle various behaviors related to Certificate Inventory and Management depending on your needs, using specific certificate properties as shown in Discovery properties.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login