How to identify invalid certificates in a ServiceNow instance?SummaryWhile fulfilling certain activities, ServiceNow platform queries sys_certificate table and validate all the active certificates. For example LDAP Test Connection, Email POP3/IMAP Test connection etc. During this process if one of active certificates appears invalid due to whatever reason, the action fails reporting some errors. Below is an example log statement where Email POP3 Test connection was broken due to an active invalid certificate. (Account name: ServiceNow POP3, Type: pop3, sys_id: 7e7e3701470311107f180838036d4327) Email account connection test completed with result: error, msg: Connection failed: Couldn't connect to host, port: pop3, 995; timeout 20000; Using socket factory class com.glide.certificates.DBKeyStoreSocketFactory Digging further into application node logs shows the failure was caused due to the validation failure of SAML 2.0 SP Keystore certificate. 2022-12-27 05:30:37 (589) worker.6 worker.6 txid=f3d970dd4788 SEVERE *** ERROR *** Unable to load certificate : SAML 2.0 SP Keystore - b88267271b012000f1129141be071393 java.io.IOException: Keystore was tampered with, or password was incorrect Running this background script helps identifying if there is any invalid certificate available in sys_certificate.ReleaseAllInstructionsLogin to ServiceNow instance Go to System Definition > Scripts - Background Run below script in global scope //Script for validating certificates checkCert(); function checkCert(){ var certValidator = new SNC.CertificateValidator(); var grC = new GlideRecord('sys_certificate'); grC.addActiveQuery(); grC.addQuery('name', 'DOES NOT CONTAIN', 'code_signing_key'); grC.addQuery('short_description', 'DOES NOT CONTAIN', 'ServiceNow Inc.'); grC.query(); while (grC.next()){ try { if(!certValidator.validate(grC)) gs.print(gs.getMessage('\n\nInvalid certificate: ') + '\nName: ' + grC.name + '\nType: ' + grC.type + CreateLink('sys_certificate', grC.sys_id) + '\n'); } catch (e){ gs.print(gs.getMessage('\n\nInvalid certificate: ') + '\nName: ' + grC.name + '\nType: ' + grC.type + CreateLink('sys_certificate', grC.sys_id) + '\n'); gs.print(gs.getMessage(e)); continue; } } function CreateLink(strTableName, strSysID){ return "\nLink: " + gs.getProperty('glide.servlet.uri') + gs.generateURL(strTableName, strSysID); } } Sample Output: *** Script: Invalid certificate: Name: SAML 2.0 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=210cfd3fe8a902006d0f6afc9ec7eb25 *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20200804073341GMT+00:00 *** Script: Invalid certificate: Name: http://yyyyy.com/adfs/services/trust_1 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=34b49fc0e4dd5e006d0f3a1593ae945c *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20160505124327GMT+00:00 *** Script: Invalid certificate: Name: http://yyyyy.com/adfs/services/trust_2 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=74b49fc0e4dd5e006d0f3a1593ae945c *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20160525101018GMT+00:00 *** Script: Invalid certificate: Name: SAML 2.1 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=c64f7d3fe8a902006d0f6afc9ec7eb08 *** Script: java.lang.Exception: Invalid trust_store : Unable to load certificateSAML 2.1, pem *** Script: Invalid certificate: Name: test azure Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=e779e64f0fc7da002cc06519b1050ed1 *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20161027000000GMT+00:00 Now please set these invalid certificates as inactive and test the connection again. References: Error connecting the POP email account on secure port