SSL/TLS encryption on instancesIssue Protecting the security and privacy of our customers is among our top priorities, so ServiceNow utilizes SSL/TLS to encrypt communications for all customer instances. In order to continue to provide best-in-class protection, we regularly renew our certificates used for SSL/TLS encryption. A short lifespan for SSL certificates reduces our exposure window and also gives us greater flexibility to deal with unforeseen security issues. Since so many recent headlines have featured exposures in the SSL protocol and the surrounding technologies (Heartbleed, POODLE, root CA compromises, unauthorized disclosures) ServiceNow views this as a necessary step in order to stay ahead of current and future threats. Regarding SSL certificate changes ServiceNow currently rotates/renews its certificates every 6 months, and provides 14-day notification of this activity. This is an industry best practice and it enables ServiceNow to provide improved security for our customers.It is recommended that customers and their third party systems should trust the root certificate provided by our certificate vendor, Entrust, instead of hard-coding an existing ServiceNow certificate and having to change that manually when the certificate itself is renewed.Due to Google's announcement that certificates issued by Entrust will no longer be accepted by Chrome browsers, ServiceNow will be issuing the new certificate for instances (also known as *.service-now.com certificate or the wildcard certificate) from Digicert instead of Entrust. It is recommended that customers and their third party systems should be configured to also trust the root certificates from Digicert to ensure a seamless transition. Determining if your instance is affected by this change All customers utilizing the ServiceNow web application use the new SSL certificate, but for the most part, this is a transparent change. The only customers likely to require manual intervention are those who have integrations, caching or proxy servers that have hard-coded the current ServiceNow SSL certificate (and/or its intermediate and root certificates). Some inbound integrations (services connecting to your ServiceNow instance) may have the current SSL certificate hard-coded. Contact the service owner of any integration that connects to your ServiceNow instance to verify that it will properly handle the SSL certificate change. Please note that it is technically impossible for ServiceNow to determine which 3rd party systems connecting to an instance have hardcoded the current certificate. This is similar to a user saving a password in their browser, it is only possible to check if the password they provided is correct or not, it is not possible to determine how that password is kept. If you access your ServiceNow instance by a URL other than https://<instance-name>.service-now.com/ or other than a Custom URL deployed through your instance (see here), you may be accessing your instance through a proxy. Please contact your IT department or network administrator to verify that the proxy can handle the SSL certificate change properly. Normal web browsers like Internet Explorer, Firefox, Chrome, or Safari are NOT affected. Preparing for SSL certificate upgrade Use updated web browsers and maintain software patch levels.Read the information provided by ServiceNow and communicate this change to any members of your organization who could be affected.ServiceNow recommends not hardcoding the ServiceNow certificate. Hardcoded certificates will likely cause interrupted access during a certificate change until the old certificate is manually replaced by the new and correct certificate. Receiving Notifications About Changes to the Root CA The current wildcard certificate is issued from Entrust as our 3rd party Certificate Authority (CA). There are two versions of the *.service-now.com certificate, both issued by Entrust but with different expiration dates. 1) Most instances use a certificate with serial number 10d3e2066f5d2ae7b29050e6d8eaa648 issued from "Entrust Certification Authority - L1K". This certificate is valid until May 13 04:56:45 2025 GMT and will be renewed in April 2025 with a certificate issued from Digicert. 2) Instances where ECDSA ciphers have been activated or TLS 1.3 is being tested on use a certificate with serial number 1caa52eaa9cbb28791753d624194dfbf issued from "Entrust Certification Authority - L1F". This certificate is valid until Jan 30 14:05:05 2025 GMT and will be renewed in January 2025 with a certificate issued from Digicert. It will be renewed again in April 2025 along with our TLS 1.2 certificate and will be kept in synchronization from that date. You may review the certificate information by using the following comments: openssl s_client -tls1_3 -connect <instancename>.service-now.com:443 openssl s_client -tls1_2 -connect <instancename>.service-now.com:443 Please note that the tls 1_3 version will only return successful results if TLS 1.3 is available for the instance. Both versions of the wildcard certificates will be issued from Digicert who is replacing Entrust as our CA. We plan to send 14-day notification for the changes and this KB article will be kept up to date with the most recent versions of the certificates.ReleaseAll releases.ResolutionObtaining Help for SSL Certificate Changes If you believe there is a problem with the SSL certificate change, please contact ServiceNow Technical Support. Please note that Support cannot help you in determining which third-party systems may be affected as it is technically impossible for ServiceNow to determine which 3rd party systems connecting to an instance have hardcoded the current certificate. SSL Certificates If you have determined that you might be impacted by the SSL certificate change, use the certificates in the zip file below. star.service-now.com.zip The zip file contains three set of certificates The existing TLS 1.2 certificates from EntrustThe existing TLS 1.3 certificates from EntrustThe upcoming TLS 1.3 certificates from Digicert If you have a third-party system where you have hardcoded certificates, we strongly suggest you add all three sets to its configuration.Related LinksRelated KBs: How to determine where your data center is hosted? - KB0538621 OCSP requirements for MID servers for Entrust & Digicert - KB1709661 ServiceNow Replacing Entrust Certificate Authority (CA) - KB1702083