Certificate Discovery via Port Scan: Backend Workflow ExplainedSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } PurposeEver wondered what happens after you enable tls_ssl_certs and a server answers with TLS? This explains the full backend journey from capture to the creation and linking of certificate records. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Overview- When tls_ssl_certs is enabled, your existing Discovery schedules attempt certificate capture on the configured ports.- When a TLS response is received, the MID Server captures the server certificate chain and returns it to the instance.- The instance processes the returned chain, inserts a certificate history record, triggers an event-driven step, creates or updates Certificate CI records (using IRE when enabled for this flow), creates or updates the installed certificate mapping, and updates the history record to reference the discovered server certificate CI.- Runtime messages for this chain can be reviewed in the Discovery Status record under the Discovery Log tab. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Key record links used in this chain- Port Probe record (tls_ssl_certs)https://<instance_name>.service-now.com/nav_to.do?uri=discovery_port_probe.do?sys_id=1e699a597752330099808d116810612c - Business Rule: Discovery - Certificate Captured (After Insert)https://<instance_name>.service-now.com/nav_to.do?uri=sys_script.do?sys_id=6cc7041777123300b5bd1c3faa1061f3 - Script Action for event sn_disco_certmgmt.certificate.capturedhttps://<instance_name>.service-now.com/nav_to.do?uri=sysevent_script_action.do?sys_id=948c4c9777123300b5bd1c3faa106112 - Script Include: PopulateCmdbCiCertificatehttps://<instance_name>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=a4d8ecef77923300b5bd1c3faa1061e8 - Script Include: PopulateCmdbInstalledCertificatehttps://<instance_name>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=31b568af77923300b5bd1c3faa106136 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Backend chain after a TLS response is received TLS certificate chain is captured and returned from the endpoint- The MID Server completes a TLS handshake on the target IP and port and extracts the certificate chain.- The MID returns the chain to the instance as a payload with endpoint context such as source and port. Instance processes the returned certificate chain- The returned payload is decoded and unpacked into a structured certificate chain for ingestion.- Processing outcomes for the endpoint and port are visible in the Discovery Status record under the Discovery Log tab. Certificate history record is created- A new record is inserted into sn_disco_certmgmt_certificate_history.- This record stores endpoint identity fields (source, port, discovery_method, sys_domain, and path when applicable) and the captured certificate chain payload. Business Rule triggers and queues the certificate captured event- Business Rule name: Discovery - Certificate Captured- Trigger: After Insert on sn_disco_certmgmt_certificate_history- Result: queues event sn_disco_certmgmt.certificate.captured for the newly inserted history record- Business Rule linkhttps://<instance_name>.service-now.com/nav_to.do?uri=sys_script.do?sys_id=6cc7041777123300b5bd1c3faa1061f3 Script Action runs for the queued event and performs population and linking- The Script Action uses the certificate history record as input.- It creates or updates Certificate CI records, creates or updates the installed certificate mapping, and updates the history record with the server certificate reference.- Script Action linkhttps://<instance_name>.service-now.com/nav_to.do?uri=sysevent_script_action.do?sys_id=948c4c9777123300b5bd1c3faa106112 Certificate CI records are created or updated (includes IRE behavior)- Population is handled by PopulateCmdbCiCertificate using the certificate chain payload from the history record.- The chain is processed in reverse order (root to server) so issuer and root issuer references can be populated correctly.- Certificate matching and creation is fingerprint-driven, then additional attributes are populated (subject, issuer, validity, serial number, algorithms, key size, CA and self-signed indicators, SAN references).- IRE usage is controlled by DiscoveryCertificateManagementUtils.shouldUseIRE. If IRE is enabled for this flow, certificates are upserted using IRE. If it is not enabled, certificates are upserted using direct record updates.- IRE upsert is applied consistently across the full chain, including when issuer and root issuer references are updated.- PopulateCmdbCiCertificate linkhttps://<instance_name>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=a4d8ecef77923300b5bd1c3faa1061e8 Installed certificate mapping is created or refreshed- Mapping is handled by PopulateCmdbInstalledCertificate.- It creates or updates the installed certificate mapping record using this identity key: source, sys_domain, discovery_method, certificate, port, path.- If a matching mapping exists, it is refreshed rather than duplicated.- PopulateCmdbInstalledCertificate linkhttps://<instance_name>.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=31b568af77923300b5bd1c3faa106136 Certificate history record is updated with the server certificate reference- The history record is updated so the server_certificate field references the discovered or updated server certificate CI. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ How to verify quickly- Discovery Status record (check Discovery Log tab for runtime messages)- Certificate history (confirm record exists and server_certificate is populated)- Certificate CI (confirm certificate record exists or was updated)- Installed certificate mapping (confirm endpoint-to-certificate mapping exists) Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Run Certificate Discovery via port scans