Debugging Mutual Authentication Description<!-- div.margin{ padding: 10px 40px 40px 30px; } table.tocTable{ border: 1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } table.noteTable{ border:1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); width: 100%; border-spacing:2; } table.internaltable { white-space:nowrap; text-align:left; border-width: 1px; border-collapse: collapse; font-size:14px; width: 85%; } table.internaltable th { border-width: 1px; padding: 5px; border-style: solid; border-color: rgb(245, 245, 245); background-color: rgb(245, 245, 245); } table.internaltable td { border-width: 1px; padding: 5px; border-style: solid; border-color: #E0E0E0; color: #000000; } table tr td { padding: 15px; } .title { color: #D1232B; font-weight:normal; font-size:28px; } h1{ color: #D1232B; font-weight:normal; font-size:21px; margin-bottom:-5px } h2{ color: #646464; font-weight:bold; font-size:18px; } h3{ color: #000000; font-weight:BOLD; font-size:16px; text-decoration:underline; } h4{ color: #646464; font-weight:BOLD; font-size:15px; text-decoration:; } h5{ color: #000000; font-weight:BOLD; font-size:13px; text-decoration:; } h6{ color: #000000; font-weight:BOLD; font-size:14px; text-decoration:; } hr{ border-top-width: 1px; border-top-style: solid; border-top-color: #cccccc; } ul { list-style: disc outside none; margin-left: 0; } li { padding-left: 1em; } --> Mutual Authentication Debugging Please follow these steps when debugging Mutual Authentication: Validate protocol profile is setup correctly, e.g "myhttps" and port is "443"Convert the given format of the keystore to p12. From pfx to p12: keytool -importkeystore -destkeystore newCustomer.p12 -deststoretype pkcs12 -srckeystore "name.pfx" Extract public cert from this P12: keytool -export -alias "<alias_from_p12>" -keystore newCustomer.p12 -rfc -file publicCert.cert Extract private key from this P12: openssl pkcs12 -in newCustomer.p12 -nodes -nocerts -out private.pem # alterantively run this to see full output, if no "-----BEGIN PRIVATE KEY" line is seen then the private key is missing and the customer needs to regenerate a new key pair following our documentation: openssl pkcs12 -info -in newCustomer.p12 -nodes -nocerts Try connecting via OPENSSL: openssl s_client -connect <Destination_IP>:<PORT> -msg Use the Private key and validate if OPENSSL is working correctly: openssl s_client -showcerts -connect <Destination_IP>:<Port> -key private.pem Leverage Public and Private keys via Curl to validate if the 3rd party is configured correctly: curl <API_Point>:<port> -v -H "Content-Type:application/json" -d --key private.pem:<password> Before continuing, make sure steps 6 and 7 have a satisfactory result. If any of the previous steps fail, it means the configuration at the 3rd party is not correct and there is no need to debug at ServiceNow yet. Once this is working, start configuring ServiceNow for Mutual Auth: Add Target's public certificate as a trusted cert in the given keystore and attach it to the protocol profile in ServiceNow. When running the test on a REST method and it shows https:// instead of the custom protocol name (which should be <8 characters and lower alphabetic letters only), ensure that the end point on the REST outbound message uses the custom protocol and has mutual authentication checked. At least in Quebec it seems to be taking the custom protocol from the message, rather than the method. If you get unexplained errors with connection refusal, set the mutual authentication checkbox on the message only, not the method. Additional information Mutual Authentication - Overview Steps to set up Mutual Authentication: Keys