How to identify invalid certificates in a ServiceNow instanceSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When performing certain activities, the ServiceNow platform queries the sys_certificate table and validates all active certificates. If an apparent invalid certificate exists, operations like LDAP Test Connection or Email POP3/IMAP Test connection fail with errors. For example, an Email POP3 Test connection was broken due to an active invalid certificate, as shown in this example log: (Account name: ServiceNow POP3, Type: pop3, sys_id: 7e7e3701470311107f180838036d4327) Email account connection test completed with result: error, msg: Connection failed: Couldn't connect to host, port: pop3, 995; timeout 20000; Using socket factory class com.glide.certificates.DBKeyStoreSocketFactory Further investigation into application node logs shows the failure was caused due to the validation failure of SAML 2.0 SP Keystore certificate. 2022-12-27 05:30:37 (589) worker.6 worker.6 txid=f3d970dd4788 SEVERE *** ERROR *** Unable to load certificate : SAML 2.0 SP Keystore - b88267271b012000f1129141be071393java.io.IOException: Keystore was tampered with, or password was incorrect You can use a background script to identify invalid certificates in your instance. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } In your ServiceNow instance: 1. Go to System Definition > Scripts - Background. 2. Run the following script in the global scope: //Script for validating certificates checkCert(); function checkCert(){ var certValidator = new SNC.CertificateValidator(); var grC = new GlideRecord('sys_certificate'); grC.addActiveQuery(); grC.addQuery('name', 'DOES NOT CONTAIN', 'code_signing_key'); grC.addQuery('short_description', 'DOES NOT CONTAIN', 'ServiceNow Inc.'); grC.query(); while (grC.next()){ try { if(!certValidator.validate(grC)) gs.print(gs.getMessage('\n\nInvalid certificate: ') + '\nName: ' + grC.name + '\nType: ' + grC.type + CreateLink('sys_certificate', grC.sys_id) + '\n'); } catch (e){ gs.print(gs.getMessage('\n\nInvalid certificate: ') + '\nName: ' + grC.name + '\nType: ' + grC.type + CreateLink('sys_certificate', grC.sys_id) + '\n'); gs.print(gs.getMessage(e)); continue; } } function CreateLink(strTableName, strSysID){ return "\nLink: " + gs.getProperty('glide.servlet.uri') + gs.generateURL(strTableName, strSysID); } } 3. Following is the sample output: *** Script: Invalid certificate: Name: SAML 2.0 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=210cfd3fe8a902006d0f6afc9ec7eb25 *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20200804073341GMT+00:00 *** Script: Invalid certificate: Name: http://yyyyy.com/adfs/services/trust_1 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=34b49fc0e4dd5e006d0f3a1593ae945c *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20160505124327GMT+00:00 *** Script: Invalid certificate: Name: http://yyyyy.com/adfs/services/trust_2 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=74b49fc0e4dd5e006d0f3a1593ae945c *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20160525101018GMT+00:00 *** Script: Invalid certificate: Name: SAML 2.1 Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=c64f7d3fe8a902006d0f6afc9ec7eb08 *** Script: java.lang.Exception: Invalid trust_store : Unable to load certificateSAML 2.1, pem *** Script: Invalid certificate: Name: test azure Type: trust_store Link: https://xxxxx.service-now.com/sys_certificate.do?sys_id=e779e64f0fc7da002cc06519b1050ed1 *** Script: java.lang.Exception: Invalid trust_store : certificate expired on 20161027000000GMT+00:00 4. Set the invalid certificates as inactive and test the connection again. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Error connecting the POP email account on secure port