WS-Security profile for Outbound SOAP Secured Web Service needs the "x509 certificate" in PEM format only - Support and Troubleshooting

WS-Security profile for Outbound SOAP Secured Web Service needs the "x509 certificate" in PEM format only Issue  WS-Security profile for Outbound SOAP Secured Web Service needs the "x509 certificate" in PEM format only

Problem WS-Security profile for Outbound SOAP Secured Web Service allows to create "x509 certificate" in both CER and PEM format.

Symptoms If a customer creates or update a WS-Security profile for Outbound SOAP Secured Web Service with a "x509 certificate" other than PEM, they could receive the following errors on the system logs or in the localhost:

Error signing SOAP envelope: java.io.IOException: Invalid keystore format: sun.security.provider.JavaKeyStore.engineLoad SOAP Msg Outbound - SOAPMessageClient : Error executing SOAP request: Error signing SOAP envelope Unable to extract Key from KeyStore: com.glide.certificates.DBKeyStoreFactory.getPrivateKeyFromKeyStore Cause WS-Security assumes the certificate is encoded in PEM format and it could not retrieve it

Resolution Please perform the following actions to resolve your problem.

To accomplish action A:

Export from the keystore the new certificate used by the secure WS, in PEM format . You will need to know the certificate alias for this operation or if you have a cer X509 certificate, you could convert it as follow: > openssl x509 -inform der -in certificate.cer -out certificate.pem Import into ServiceNow the new provided keystore. We recommend in PKCS12 format . Import into ServiecNow the new x509 certificate in PEM format. Modify the WS security X509 Outbound profile for this WS call to correctly point to: a) the new keystore record, b) the new certificate record , and c) the certificate alias.

Note : WS-Security only allows X509 certificates in PEM format to be used.